Thanks for taking the time to report this!
For future reference: it is preferable to disclose a vulnerability in a way that’s not as public as this forum is. We have set up a way to report security issues. You can find more information here: https://discourse.igniterealtime.org/t/ignite-realtime-security-information/
What you’ve reported is not so much a security vulnerability in the REST API, as it is in the way you have used the REST API in your product. The REST API exposes system administration functionality. It allows its users to read from and apply changes to core parts of Openfire.
What the REST API is not intended for, is to be used by end-users directly! The REST API should be treated as an administrative interface. Credentials used for its access should not be embedded in chat clients! Ideally, access to the REST API endpoints should be limited (through access control lists / firewall rules) to very specific systems that are allowed to interact with it.