To reproduce, request:

/rest/prototype/1/session/check/notmycurrentusername

The response is:

Expected user >{}< but was >{}<

The format string at plugins/rest/resources/UserSession.java, line 101, is incorrect, resulting in this output. This issue has no security implications, but care should be taken to not introduce an XSS while fixing this, as it is currently served as text/html.