BuddyPress < 5.1.2 - Unauthenticated Private User Data Exposure via REST API Endpoint
In BuddyPress before 5.1.2, requests to a certain REST API endpoint can result in private user data getting exposed. Authentication is not needed. This has been patched in version 5.1.2.