From the Make WordPress Core blog:
This release fixes a serious information disclosure vulnerability, which allowed for unpublished content and post revisions to be retrieved via the REST API.
This release was coordinated by the REST API team and the WordPress core security team. The security team is pushing automatic updates for this plugin. Each branch was separately patched; there are packages for 1.2.1, 1.1.3, 1.0.2, 0.9.2, and 0.8.2.
Time to update your installs, if you’re using the REST API. Or perhaps the auto-updater will beat you to it.