Summary by vinax
A publicly accessible GraphQL API exposed sensitive group and user information to unauthenticated users. By leveraging the wildcard search feature in the tags parameter, an attacker could enumerate groups in bulk, leading to the exposure of PII.