Experiencing a data leak on the Developer Portal, where after logging in it is possible to view confidential data such as URLs, IPs and data from servers and internal applications, allowing the malicious agent to obtain information about the operation and technologies used by the application.

Need to omit the display of user UUIDs by the context included at the end of the DEV Portal URL:

Example of url used to display user's info:

https://devPortal.domain.com./admin/v2/users?includeAnonymous=true&limit=12&offset=0&sortBy=username&sortOrder=ASC

CA API PORTAL 5.2 , 5.3

This is not a data leak , it is working as designed. Admin user is able to see from the Portal dashboard (the info is expected to be accessed by admin user and/or any other user which have permissions to).

Once the users login Portal, they have a cookie (with that info in place) and that is valid for making any PAPI call. 

Need to login with admin user to see that data/info. Other user (non-privileged ) will not see that data/info at all.

example with a non-privileged user and the URL query below :

{"error":{"code":"Access Denied","message":{"lang":"en","value":"Insufficient rights to perform operation."},
"detail":{"errorCode":"500","devErrorMessage":"Access is denied","userErrorMessage":"Insufficient rights to perform operation.","userErrorKey":"error.acl.authorization"}}}"

Consider the following also :

1) If using Portal User Roles and Adding a Developer User (or any other user) to an "specific Organization" we can 
control better what can be modified/visualized by that user and what cannot be modified.

Manage Organizations

2) If Portal users are Active Directory Group ( your own AD) Policy Manager (READ-APIM-PORTAL-PRD).

Then the specific AD user (ie. user01) , must have a Portal Role (user01 has "Org Publisher" Role) and must to be assigned to an Organization (ie. Org01), from where user01 
has access to specific Applications and Key. 
If running the query "https://myportal.domain.com/admin/v2/users?includeAnonymous=true&limit=12&offset=0&sortBy=username&sortOrder=ASC"
under that setup , you will not see user's info (because user login in has no that kind of permissions to access the info)

According with the permission and roles granted to user01.
example :   The Org Publisher has publishing permissions only in the assigned organization.

Developer can Read API if has that Manage Permission.
"Org Publisher. This role is a similar role to the API Owner but users with this role can create and deploy APIs for only the organization to which they are assigned. 
Users with this role can view analytics across organizations to understand how the APIs that their organization owns is consumed by other organizations.
For more information about analytics, see Monitor."

User types roles and permissions