Jenkins global-build-stats Plugin 322.v22f4db 18e2dd and earlier does not perform permission checks in its REST API endpoints, allowing attackers with Overall/Read permission to enumerate graph IDs.

This has been patched in version 347.v32a eb 0493c4f.