Passbolt implements a mechanism to verify the server's authenticity. The /auth/verify.json endpoint used to verify the server's authenticity returns a JSON that displays errors that occurred during the request. An attacker could use this unauthenticated endpoint to enumerate users registered on a Passbolt instance. They could retrieve a huge list of PGP public keys (by scrapping a widely-populated HKP server) and try every fingerprint to list potential users. This vulnerability has a low impact. It requires an attacker to know the victim's public key's fingerprint.