The salt.auth.pki module does not properly authenticate callers. The password field contains a public certificate which is validated against a CA certificate by the module. This is not pki authentication, as the caller does not need access to the corresponding private key for the authentication attempt to be accepted.
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.