See https://hackerone.com/reports/774. A researcher reports that you can CSRF the login form for a logged-out user. That is, if you know the username and password of a Phabricator account, you can execute a targeted attack which logs a victim in with those credentials by having them visit a page which submits a login form on their behalf. (They must not already be logged in to another account.)
I think this is really scraping the bottom of the barrel in terms of legitimacy, but does represent a capability escalation and isn't an attack I was cognizant of (the lack of logged-out CSRF is known, but not threatening in other cases). I'm going to award this as legitimate and fix it.