Bubba AI, Inc. 2261 Market Street, San Francisco, California, 94114 Evidence: Direct HTTP requests to the identified API endpoints returned successful responses without requiring authentication. Using usernames from other companies, the tester was able to retrieve full user records, demonstrating cross-tenant exposure. The responses included full user records, including administrator account details and associated sensitive fields. Figure 1 - Unauthenticated request to the /api/companies endpoint returning successful response with another company ’ s data. Figure 2 - Unauthenticated request to the /api/users/{username}/full endpoint returning successful response with sensitive data.