The vulnerability arises from the runs/{run_id}/related endpoint failing to verify if the requesting user has the necessary permissions to access the specified run and its related runs. This oversight allows unauthorized users to retrieve sensitive information about runs that are not public. The other endpoints, runs/{run_id} and runs/{run_id}/public, correctly enforce access controls, highlighting the inconsistency and unintended behavior in the runs/{run_id}/related endpoint.

An attacker could exploit this vulnerability by obtaining the run_id of a non-public run, either through social engineering or by leveraging a public parent run's run_id. Using this run_id, the attacker can call the runs/{run_id}/related endpoint to retrieve detailed information about the run and any related runs, potentially exposing sensitive data.

Users of the software who have non-public runs stored in the system are affected. This includes any organization or individual using the software to manage and log runs, especially those who rely on the confidentiality of their run data.