Issue

The subscribers:sql_query permission check is broken, allowing non-superadmin users on an installation to query the sessions table via the GET /api/subscribers API and access the Super Admin account.

Who is affected?

Installations with non-trusted user accounts with the subscribers:get_all permission.

Mitigation
If you have non-trusted user accounts, disable the subscribers:get_all permission on them for now. This fully disables using the API to query subscribers via SQL expressions. A fix is being developed here which will be available in the upcoming v5.0.0 release.