A regular user accessing `/api/v2/admin/users` by simply changing the URL - Modifying the `user_id` parameter in a request to view another user's orders - Accessing the order management API without being an authenticated merchant