PCL-SA-2026-902 TLP:CLEAR Low Status: Public

Northstar Metadata Exposure

A low-severity authorization gap in Northstar Admin Console exposed limited build metadata to authenticated users without the diagnostics role.

SeverityLowCVENot applicableImpactLimited authenticated metadata exposureTypeInformation exposureComponentDiagnostics metadata viewExploit CodeNo public exploit known

Public Record

PCL-SA-2026-902 ยท Updated 2026-05-23

Disclosure Status

Public advisory after coordinated remediation review

Summary

PunchCard Labs reviewed a low-severity information exposure in the Northstar Admin Console diagnostics metadata view. An authenticated user without the diagnostics role could read a limited set of build and deployment descriptors intended for diagnostic operators.

The exposed values were limited to product channel, build train, feature group, and non-sensitive environment labels. The review did not identify exposure of credentials, customer records, session material, private keys, internal hostnames, or privileged configuration values.

Affected Product

Northstar Admin Console versions 4.2 through 4.4 are affected when diagnostics metadata is enabled and the default low-privilege console profile is assigned. Earlier and later release trains were not assessed for this publication.

Technical Overview

The condition resulted from inconsistent authorization checks between the primary diagnostics panel and a secondary metadata view used by the console shell. The primary panel required the diagnostics role before rendering metadata. The secondary view inherited authentication state but did not consistently enforce the same role requirement.

The available metadata could help an authenticated user understand deployment age, release channel, and feature-group assignment. On its own, the information does not provide a privilege escalation path, access to restricted records, or a direct availability impact.

Impact

Impact is limited to low-value metadata disclosure within an authenticated environment. The issue may marginally assist internal reconnaissance, but it does not change privileges, expose protected records, modify system state, or affect service availability.

Detection And Review

Administrators should review console access logs for low-privilege users requesting diagnostics metadata views. Access from expected support, operator, or administrator roles should be considered normal. Unexpected access from standard user roles should be reviewed with application version and role assignment context.

Remediation

Upgrade to a fixed Northstar Admin Console release or apply vendor guidance requiring the diagnostics role for all metadata views. Environments with strict internal disclosure requirements should temporarily disable diagnostics metadata until the authorization correction is deployed.

Timeline

  • 2026-05-08: Report received by PunchCard Labs.
  • 2026-05-10: Scope and data sensitivity reviewed.
  • 2026-05-16: Vendor-side authorization correction confirmed.
  • 2026-05-23: Public advisory released.

Notes

No CVE was assigned at publication time. The issue is low severity because exploitation requires authenticated access and the exposed data is limited in sensitivity.