MQTT Embedded Binding allows anonymous connections


I have a question regarding the embedded mqtt broker. After installing it, everything works fine, BUT somehow it allows connecting without password.
So what I did is follwing:

I’ve installed the broker via paperUI: MISC --> Embedded MQTT Broker
Then I went to Configuration -> Services -> MQTT Embedded Broker -> Configure
There I put a username and Password.

On windows I insatlled MQTT explorer for testing. So I connected to the openhab server from windows, putting username and password
and it worked fine. Also sending/receiving some messages with 2 different clients worked.

Now I tried to connect without putting username and password and it did also work. Further I could also interact with clients that were connected with password.

So for me it looks like a bug in the embedded broker. Does anybody else also has this experience, or any hints what I am doing wrong?