CORs and Basic Authentication - Am I missing something???

So I’m performing a penetration test and I’m 99% I found a FP, but want to bounce it off someone else who might be able to reaffirm what I’m seeing. All API endpoints authenticate using Basic Auth. Credentials are not cached from visiting the API directly(no prompt). I don’t see how anyone could exploit this since essentially if you attempt to cross origins, you get a API key missing due to no cookie being used.

Request Mockup

GET /v0/somethingcool HTTP/1.1
Authorization: Basic BASICAUTHINFO

Response Mockup

HTTP/1.1 202 Accepted
access-control-allow-credentials: true
access-control-allow-headers: *, Content-Type, Accept, AUTHORIZATION, Cache-Control
access-control-allow-methods: POST, GET, OPTIONS
access-control-expose-headers: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
access-control-max-age: 1728000
content-type: application/json