The field "api_key" has special security rules when accessed via the API. These rules could potentially be bypassed and lead to privilege escalation.
- CiviCRM versions between 4.7.0 and 5.19.1
- CiviCRM 5.19.2 and 5.13.7
Upgrade to the latest version of CiviCRM
Coleman Watts of CiviCRM for reporting.
Coleman Watts of CiviCRM, Tim Otten of CiviCRM, and Seamus Lee of Australian Greens for fixing the issue