It doesn't require a login to request a refresh, but you do need a CSRF token. There is not a lot to gain by putting the refresh request behind a login - it doesn't do anything if there is no update available.
Thanks for highlighting - now fixed.
In general, if you have concerns about security issues, its best to raise them with us privately rather than air them in a public forum - just in case there is a genuine issue. That allows us to address any potential issue before it is made public and could get exploited.