Cloud Foundry CAPI (Cloud Controller) versions prior to 1.98.0 allow authenticated users having only the «cloud_controller.read» scope, but no roles in any spaces, to list all droplets in all spaces (whereas they should see none).
