@mishre discovered that an organization member could set the membership visibility for other members. A user can set their organization membership to “private” if they do not want to be publicly listed as a member of an organization. However, because of a bug related to how user IDs were parsed from the request, an organization member could craft a request that would let them set the organization visibility for another member. We addressed the vulnerability by fixing the request parsing so that the existing authorization logic was enforced correctly.