Private draft report exposure in a program a user is added as a viewer to

A vulnerability is identified where adding a user as a program viewer causes them to be subscribed to draft reports within that program. This subscription results in the program viewer receiving notifications for every comment posted on a draft report. The vulnerability leads to the exposure of sensitive information, including the comment content, report title, and the creation time of the draft (viewable via the GraphQL response). This issue is particularly concerning in large programs, where it could potentially cause mass disclosure of private draft reports and user comments.