Refer
http://www.freelists.org/post/dokuwiki/Betr-Patch-Attached-Optionally-prevent-unknown-internet-users-to-browsethe-full-media-file-tree-with-mediamanager,4
Users with read only access to a wiki or a namespace in a wiki can browse available media files by entering the direct url to the media manager.
I'm not sure this qualifies as a security issue, but I do think the behaviour qualifies as unexpected. A user with read access, can not edit a page, so does not get the edit toolbar, so can not press the media button to get access to the mediamanager. For me that creates an expectation that a read only user can not access the mediamanager so can not see uploaded files that are not currently visible on the wiki.