Generations API Vulnerability Exposes IP Addresses, User IDs to All Organization Members

A security disclosure filed on GitHub reveals that the Generations service API improperly exposes personally identifiable information through two endpoints: GET /v1/generations and GET /v1/generations/{id}. The affected responses include `user_id` (the UUID of the requesting user) and `ip_address` (the originating IP address of the request). The vulnerability stems from the `generationResponse` struct used by these endpoints. While the `ip_address` field carries an `omitempty` tag—meaning it is omitted when null—when present, it remains visible to any member of the organization, including users with viewer-level permissions. The `user_id` field is returned unconditionally, without `omitempty`, making it consistently accessible to all org members. This design flaw allows any authenticated organization member to map generation activity to specific users and view the IP addresses from which those requests originated.

The implications are significant. IP addresses constitute PII and can reveal approximate user locations, ISP information, and network patterns. Combined with the ability to associate activity with specific user UUIDs, an attacker or even a curious non-admin member could conduct surveillance on colleagues' API usage patterns. The disclosure highlights that access controls on these endpoints fail to enforce role-based restrictions, despite the sensitivity of the data involved. Organizations using this service assume that PII is restricted to administrative roles, but the current implementation does not enforce that assumption.

Security researchers and platform users are advised to monitor for patches addressing this issue. Until the vulnerability is remediated, organizations should be aware that sensitive request metadata is visible beyond its intended audience. The disclosure underscores a common but critical pitfall in API design: conflating data serialization with access control. The absence of proper permission checks on response fields transforms a simple data model into an information-exposure vector, even when the underlying intent is merely to return complete generation records.