Even though Blockchain.com has been aware of this flaw since 2019, it still has not been fixed.
As far as I know, blockchain.com fixed that vulnirability and patched it. The issue is that they refused to pay the bug bounty to the person who discovered it. It was
BayAreaCoinsYou can read the full story from here:
https://bitcointalk.org/index.php?topic=5193539.0