The build-status/1.0/commits/{commitId} REST endpoint allows any authenticated user with LICENSED permission to update the build status for a commit.  It would be useful in environments using CI for the CI system to be the single source of truth for build status.  This would require more granular permissions around this endpoint to restrict the updating of build status to a specific user or role.

Workaround

Stop such requests before they reach Bitbucket at a proxy level.