Nope This issue is in the 404 page. So we can execute the payload with login or without login in the application. I have reported the scenario like cookie steeling by sending to the users that have logged in.