The cookie is not a security measure, it’s meant to prevent distinct clusters from crossing each other on a local and secure network. The documentation states that it’s there to prevent accidental misuse, not a deliberate attack.
We never considered this a security issue in and of itself because no one in their right mind would run the unencrypted and unauthenticated Erlang distribution unsecured over the internet.
There is nothing to fix other than for people who do that, to stop doing that.