User Audit Log Permission Bypass (DOM-26-008)
Summary
Digi On-Prem Manager required the User Log permission before showing user audit log pages, but one backing data path did not enforce the same permission. An authenticated dashboard user could read user audit records for groups they could otherwise access.
The issue requires an authenticated dashboard account.
Solution
Update to Digi On-Prem Manager v26.06 or later.
Affected Versions
Digi On-Prem Manager versions before v26.06 are affected.