/api/users/:id returns any user's full record — email, role, SSN, API key — with no ownership or authorization check. Just increment the id to walk every account.
Trigger: /api/users/2, /api/users/3 — leaks other users' ssn / apiKey.
Detected by: browser_cdp_idor_fuzz