hook_menu has an item argument for 'access callback' which allows people to define permissions on a router path. Normally, paths have some sort of check on them, usually user_access + a permission, but sometimes a check specific to the path (cf, the node paths).
The API also allows "naked" menu items that don't have any access check. This is done by setting the 'access callback' key to TRUE. Mistakes with this can lead to access bypass problems.
I have seen it in two instances in the wild, but I am sure there are others.
One is on paths that always need to be accessible. For example, some sites have have an age check, and users must declare their age before accessing the site.
Another is with webservice callbacks. A module makes a webservice call out, and gives it a callback path. When the webservice is done, it does a POST to the callback it was given.
Are these security problems? When is setting 'access callback' == TRUE OK?

Comments
/I swear I had
/I swear I had responded.../
I think there are multiple cases where this is fine. I've done it before on sites where "access content" was reserved for registered users but I wanted to have a page of content that showed to all users. I guess its possible to solve that in other ways (an access callback that returns true, a new permission granted to anonymous) but this is the fastest and most obvious way to get the job done.
knaddison blog | Morris Animal Foundation