Impact

The View Users API endpoint returns a list of all users and associated metadata- including the web API tokens. This endpoint requires an Editor role to access and will display API keys for all users, including system-wide admins.

Vulnerability Description

A RBAC privilege escalation issue was found allowing a malicious user with the Editor role to escalate to admin level access by leaking targeted web API tokens.

Identification and Remediation

This issue was identified during a Red Team X assessment and is disclosed in ​​CVE-2025-13084. This issue has since been resolved and a fix has been made available for customers.