Based on what I'm reading, Atlassian "solved" the issue by creating the dark features.  On your version, you should incorporate one of the two fixes:

To workaround this bug on Jira versions listed in "fixed in versions" above, one of the two techniques can be used:

• Add the dark feature "public.access.disabled" (see How to control anonymous user access in a public Jira instance)
  • In the fix versions above, the endpoint will now return 401 for anonymous users.
• Add the newly added dark feature "com.atlassian.jira.plugin.issuenavigator.anonymousPreventCfData.enabled"
  • 200 will be returned, however the output will filter out all custom fields from response only when not authenticated
  • The side effect of turning on "com.atlassian.jira.plugin.issuenavigator.anonymousPreventCfData.enabled" flag is that in basic mode of issue search (https://confluence.atlassian.com/jirasoftwareserver/basic-searching-939938708.html) there won't be any custom fields available for anonymous uses + there should be warning presented that "You’re not logged in, so you can’t use custom fields in basic search. Log in or switch to advanced search.".
    Advanced mode should work fine (https://confluence.atlassian.com/jirasoftwareserver/advanced-searching-939938733.html).