We had a number of places like this one, which needed access to global properties before authentication. As a result, this was intentionally left as not requiring authorisation. But this was designed more than 10 years ago, and hence it could be time to revisit it.
@rohit.yawalkar - Can you log JIRA issue for openmrs code (OpenMRS JIRA), and pick up this fix to add authorizations for mutation APIs of global properties?