Unless I'm not understanding something (quite possible), the issue I see with this bug is that once someone discovers its effects, they can effectively kill a server using Orion: Open Orion, load the site in question into 100 (or 200 or 500 or 1000) tabs, then enter incorrect login info.
The server will now be processing 2500 (or 5000 or 12,500 or 25,000) login attempts per second, and it won't stop. And that's just using one machine. Add in a few more, and you have a very effective attack setup for any site that has a page with an httpauth login.
It may only have two votes, and it's not for me to set your priorities, but this is a bug that can take down a web server, which would seem to up its importance factor in my book. Or am I missing something about this?
EDIT: Just saw the "next release" tag, which I missed before posting. That's great news, thanks for the update.
-rob.