Bubba AI, Inc. 2261 Market Street, San Francisco, California, 94114 Web Application Penetration Testing Findings Finding Title: Unauthenticated API Endpoints (Closed) Severity: (CVSS3.1): 3 .9 ( Low ) Description: The vulnerability occurs when API endpoints that expose sensitive application data are accessible without requiring authentication. This allows an attacker to retrieve sensitive information, including full user details, without possessing valid credentials. Exploitation requires only knowledge of the API endpoint structure, making exploitation easy. An attacker can exploit this by sending HTTP requests to the exposed endpoints using valid usernames, including those from other companies, to retrieve user records. This behavior indicates that the application does not enforce tenant isolation, allowing cross-tenant access to sensitive data. Successful exploitation could result in large-scale disclosure of personally identifiable information (PII), exposure of administrative account details and API keys, targeted attacks against high-privilege users across multiple organizations, and increased risk of regulatory, reputational, and compliance impact. Risk:  Unauthenticated access to PII and administrative account data .  Exposure of sensitive configuration details such as API keys .  Cross-tenant access enables attackers to retrieve data from other companies .  Targeted attacks against high-privilege users across multiple organizations .  Increased risk of phishing, credential stuffing, and social engineering .  Potential regulatory and compliance impact due to PII disclosure.