Some permissions were not being checked adequately before returning results from the CiviCRM APIv4. This did not affect everyday use of CiviCRM, but an attacker could potentially exploit this to bypass security checks and read private data from the database. To date there are no known sites that have been compromised due to this bug. APIv3 was not affected.
CiviCRM version 5.35.1 and earlier
CiviCRM versions 5.36.1, 5.35.2, 5.33.5 ESR
Upgrade to a supported version of CiviCRM
Coleman Watts of CiviCRM Core for reporting and fixing the issue.