Security Alert
Title: Enhanced security for encrypted tenant options
Severity: High
Summary:
We have introduced a new security feature in the platform to address a potential vulnerability in the handling of encrypted tenant options prefixed with credentials.. Without this feature, system users with certain roles can decrypt any encrypted tenant option within the tenant, regardless of whether it logically belongs to them or not. This meant that ownership of sensitive configuration was not enforced, potentially exposing credentials across unrelated microservices.
To mitigate this, decryption of credentials.* options is now restricted to system users who own the tenant option. You are affected by this change if your microservice tries to read a ācredentials.ā option that it does not own. Ownership is determined based on the category of the option in the following order:
-The settingsCategory defined in the microservice manifest.
-The microserviceās context path.
-The microservice name.
Recommended Action:
This feature is currently disabled by default, but can be enabled in a tenant via the secure-tenant-options feature toggle through the API
curl --location --request PUT ā{url}/features/secure-tenant-options/by-tenantā
āheader āContent-Type: application/jsonā
ādata '{
āactiveā: true
}
Important:
This restriction will become mandatory in Q4 2025 for SaaS environments and in 2026 for yearly releases. We strongly recommend that developers review and update their microservices accordingly, especially if their services rely on decrypting credentials.* options in categories not explicitly owned by them.
Affected Versions: all versions
Fixed in: Cumulocity core CD release 2025.116.0 and the next annual release in 2026.
Contact:
If you have any questions or need assistance, please contact support.