1. API Endpoint Exposes Individual User Costs and Identities to All Organization Members
A security vulnerability in the usage reporting API allows any authenticated organization member—including those with minimal viewer permissions—to access detailed per-user spending data and identity information. The affected endpoint, GET /v1/usage, returns a `top_users` array containing each user's UUID, request coun...