After running an external security scan of our instance of Jenkins there were users in the people list that should not be there. We can recreate the issue but are unable to collect information pertinent to pointing exactly to how the users ended up in the system. We're willing to provide additional information with guidance from the project. This may be an issue of security since each of those people are assigned an API key. If there was a way to obtain the API key then the method by which the scanner was able to create the users in the people list could eventually lead to access.