RhodeCode before 2.2.7 allows remote authenticated users to obtain API keys and other sensitive information via the (1) updaterepo, (2) getlocks, or (3) getusergroups API method.