First, I looked for an authentication bypass but found nothing, so I shifted my focus to privilege escalation.
Steps to Reproduce
- Log in as Admin → invite a new user with Viewer role
- "Accept invitation" → complete sign-up
- Confirm the new account shows Viewer role and cannot see admin details
- open developer tool and copy the authorization token from local storage
- Execute the curl command with the viewer token
- Observed Result, The API returns full admin profile data, including sensitive phone no
Usually, this kind of bug isn't critical, but it keeps your motivation up