Summary

Some Digi On-Prem Manager actions did not enforce the specific permission they required. The API enrollment-inbox actions (list, allow, reject, delete) did not require the device inbox permission, and creating, renewing, or rotating a public device share link did not require the device edit permission or honor the system-wide sharing setting. An authenticated user without the corresponding permission could perform these actions.

The issue requires an authenticated account.

Solution

Update to Digi On-Prem Manager v26.06 or later. The API enrollment-inbox actions now require the device inbox permission, and public share-link creation, renewal, and rotation now require the device edit permission and respect the system-wide sharing setting.

Affected Versions

Digi On-Prem Manager versions before v26.06 are affected.