The patched version have been published here:
However, there have been some regression (e.g. the admin issue that I think you’ve also experienced). Everything afterwards should be CVE free. The thing is that the Lucee dev team didn’t make the CVE changes public on the source repository(the commits and changes can’t be seen on github) just to make sure to make reverse engineering more diffucult). That gave admins more time time to upgrade. But, the issue is probably going to be disclosed soon, so this is a warning that the finder of the issue is likely to be publish the CVE with a poc soon