Internal API endpoint accessible via externally obtained API key

On a financial platform, I found that an API key obtained from a public-facing endpoint grants access to an internal API that should not be externally reachable. The internal API responds with partial data from authenticated endpoints — not full data, but enough to confirm the API key provides elevated access beyond what was intended. The key was found embedded in a JavaScript bundle served to unauthenticated users. Looking for help determining the full scope of what the key can access and whether the exposed internal endpoints contain sensitive operations.