We've discovered and fixed a security issue, where the attacker could (using the REST API):

• access the list of patches in a review (their filename, database id upload date and anchor details) without authentication
• access the patch content for any review as long as he had view access to any other review on the server