Adding to the query string via input

I have a form that takes multiple input fields and makes an API request via GET.

The fields are not properly sanitizing input and I am able to add arbitrary parameters to the query string by submitting input such as test&color=red.

Instead of some sort of encoding, the resulting API query looks like api.com/search?field=search&color=red

I cannot think of any malicious use to this, as anybody could just hit this endpoint directly or use a proxy to bypass any client side validation.

If you were performing an application review, is this something that might be worth calling out?