The bug allows listing the names of arbitrary file on the webserver - not their contents. This could leak private information about wiki pages and server structure.
A hotfix named 2009-12-25b was released and can be downloaded at http://www.splitbrain.org/go/dokuwiki
If you want to manually fix the flaw, replace the ACL Manager plugin in lib/plugins/acl/ with the version available at http://www.dokuwiki.org/_media/plugin:acl-plugin.tgz
and increase the number in conf/msg to 24.