Email Compliance isolation weakness discovered and remediated internally
Summary
During internal testing of our Email Compliance service, WAYSCloud discovered a tenant-isolation weakness that could, in principle, have allowed Email Compliance dashboard data from one account to be returned to another account.
The issue was discovered internally before customer exposure, remediated the same day, and verified through end-to-end testing.
No customer data was exposed.
What Happened
On 2026-06-07, while testing a new Email Compliance feature in WAYSCloud Shield, our engineering team identified that one tenant-isolation control was not being enforced as intended at the database layer.
The affected service uses account-level isolation to ensure that each customer account can only access its own Email Compliance data. During testing, we found that a database privilege configuration caused this isolation layer to be inactive for the application role used by the service.
As a result, some dashboard API queries that were expected to be automatically scoped to the requesting account were not sufficiently constrained at the database layer.
Impact
There is no evidence of customer impact.
At the time of discovery:
- No external customer data was exposed
- No customer credentials, payment data or email contents were involved
- No evidence of external access or misuse was found
- The issue was observed during internal testing
- Other WAYSCloud services were not affected
The data protected by this control includes monitored domain names, compliance scores, detected findings and aggregate DMARC/TLS report metadata.
Root Cause
The root cause was a database role and row-isolation configuration issue.
The relevant database policies existed, but they were not enforced for the application role in the way we expected. This meant that the service relied too heavily on a single database-layer control for tenant isolation.
Remediation
The issue was fixed on 2026-06-07.
We implemented explicit account-level filtering across Email Compliance dashboard queries, including read, list, detail, trend, alert and operation paths.
We also added ownership checks for per-item endpoints, so that requests for records outside the requesting account return "not found".
In addition, the database row-security context remains in place as a second layer of protection.
Verification
After remediation, we completed end-to-end testing against the running service.
The tests confirmed that:
- Each account can only see its own domains and compliance data
- Requests for another account's records return "not found"
- Legitimate same-account access continues to work as expected
- No regression was observed in normal Email Compliance functionality
Customer Action
No customer action is required.
No customer data was exposed, and the issue has been remediated.
Our Commitment
We publish security-relevant findings even when they are discovered internally and even when no customer was affected.
In this case, the issue was found during our own testing, fixed the same day, and used to strengthen the isolation model of the service before broader exposure.