My guess is that you are mixing several concepts of “API”. The “API” you linked (in the developer website) is a common application library. You compile plug-ins against this library and it calls the main application. That’s all. It’s all happening offline on your system, there are no remote calls, no TLS, no HTTP, no user authentication, nothing of the stuff you asked about…
Whereas when we look at your initial questions, I am guessing the question your internal review is trying to get an answer for is: does this software access some service online? And the answer to this is: no. GIMP is a desktop software. It doesn’t need internet and doesn’t need to run any HTTP/HTTPS query for normal usage.
Similarly your questions mention “API users”, “authentication framework” or “user database”; there is no such thing here. GIMP is a very old-school desktop application. No internet is needed for it to work properly and none of its features require any HTTP(S) calls.
We foun that GIMP contains a buffer overflow vulnerability. An attacker could exploit this issue by passing a crafted file to the application, which would result in an application crash. Is there any solution for this?
The solution is to fix the bug. Or what other solution are you looking for? On Linux you have various options for running GIMP in a sandbox environment, like use the Flathub package, so it is better isolated from the OS. I don’t know for other OSes.