In JetBrains YouTrack prior to 2020.4.4701, an attacker could enumerate users via the REST API without appropriate permissions.
jetbrains youtrack