Although the autogenerated checkuser API documentation says that it accepts POST request only, it appears to accept GET requests as well. I clicked on one of the demo links, which should have failed since it's GET, and instead it actually ran the check and generated an entry in the CU log.
Version: unspecified
Severity: normal