It is possible for a client to become a server operator

It is possible for a modded client to become a server operator (modded client, but vanilla server). I imagine this should not be possible.

I found this issue while modding the game myself, trying to debug why can I still mine blocks after setting player's visitor status on a server without sending the client an AdventureSettingsPacket, and to debug it I used a vanilla server and a modded client that tries to set itself operator level privileges (I called player.abilities.setPlayerPermissions(OPERATOR) every tick) - while this didn't immediately enable the operator status, I figured out it allowed me to make myself an operator in the pause menu. This allows me to execute any operator-level command on the server.

From what it seems, this happens because ServerNetworkHandler::handle(NetworkIdentifier const&, AdventureSettingsPacket const&) blindly accepts the packet from all clients and updates the specified player's abilities (operator status is one of those).

I can provide a short video tomorrow illustrating the exploit.

I used a OnePlus 5 to host the server for the test.