From 3753a5e85334c38e000b3c9d7c8235afa9d5dc48 Mon Sep 17 00:00:00 2001
From: Brad <44413459+lastbestdev@users.noreply.github.com>
Date: Tue, 17 Feb 2026 10:06:03 -0800
Subject: [PATCH] [PM-31356] Event logs: Ensure User has access to Service
 Account Organization #6997

Fix a vulnerability in the service account events API that allowed any Premium/Enterprise User to retrieve events for any service account. This change ensures that the requesting User has access to the Organization the service account belongs to, by checking for it in the list of Orgs in request context. This matches the pattern from other endpoints in EventsController
---
 src/Api/Dirt/Controllers/EventsController.cs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Api/Dirt/Controllers/EventsController.cs b/src/Api/Dirt/Controllers/EventsController.cs
index 1ac83c1316..96c4f298ce 100644
--- a/src/Api/Dirt/Controllers/EventsController.cs
+++ b/src/Api/Dirt/Controllers/EventsController.cs
@@ -212,7 +212,7 @@ public class EventsController : Controller
         }
 
         var serviceAccount = await GetServiceAccount(id, orgId);
-        var org = _currentContext.GetOrganization(orgId);
+        var org = _currentContext.GetOrganization(serviceAccount.OrganizationId);
 
         if (org == null || !await _currentContext.AccessEventLogs(org.Id))
         {