The /api/v1/users/{username} endpoint leaked sensitive email-related metadata, such as the user's email confirmation status and privacy settings, without proper authorization checks. This allowed attackers to determine whether an account's email address was confirmed and the user's email privacy preferences, even if the email itself was…Read More