API Endpoint Exposes Individual User Costs and Identities to All Organization Members

A security vulnerability in the usage reporting API allows any authenticated organization member—including those with minimal viewer permissions—to access detailed per-user spending data and identity information. The affected endpoint, GET /v1/usage, returns a `top_users` array containing each user's UUID, request count, and total accumulated cost. The flaw was identified as an information disclosure issue where access controls fail to restrict visibility based on organizational role.

The returned payload exposes three critical data points: `user_id` (the UUID of each user), `request_count` (the number of API requests made by that user), and `total_cost` (the total spend attributed to that user). While the endpoint maintains proper organization-level scoping—preventing cross-organization data leakage—it offers no granular permission controls. Any authenticated user within the organization, regardless of role or need-to-know, can retrieve this breakdown. The vulnerability was documented as an open GitHub security issue awaiting remediation.

The implications extend across multiple risk vectors. Privacy concerns arise immediately: users within the same organization can view each other's usage patterns and spending levels without authorization. A malicious or curious viewer could enumerate user identities, correlate activity to individuals, and build profiles of internal API consumption. Competitive intelligence risks also emerge—organization members can identify which users drive the highest costs and most activity, potentially revealing strategic priorities or resource allocation. The absence of role-based filtering means that even the most restricted accounts have access to information that should remain restricted to administrators or billing managers. Remediation would require implementing permission checks to ensure only authorized roles receive the per-user breakdown, while preserving aggregate reporting for general members.