When you pull the detail of an order from API, user password is contained in the returned JSON data. (See the attachment.)
I don't see anything about this in the docs. The only place where the document mentions about the password field is user creation. Even if it was intended, why would we need user password hash in the order data set?
Nothing special, just a simple GET request to this endpoint: example.com/api/2.0/orders/1055 (And if you wonder if this is about only API 2.0, it's not. /api/ endpoint also returns the same subset. Nonetheless, request and response screenshot is attached.
This may also happen because you have a relatively old version of CS-Cart installed. I checked on the newest release (4.15.2) and API call to orders resource does not return any information about user password hash.
I was able to reproduce this issue and forwarded it to the developers. As soon as there will be the solution, I will let you know and will provide you with the changes that are required to fix this behavior.