SSC: Secret launch throwing Access Denied errors

Incident Report for Delinea

Postmortem

Incident Overview

Users attempting to update or create secrets through specific API endpoints encountered “Access Denied” errors. This impacted the following scenarios:

Uploading a file to a secret field
Assigning a list to a field
General secret create/update operations when LauncherConnectAsSecretId was configured

Affected Endpoints:

POST /api/v1/secrets/
PUT /api/v1/secrets/{id}/
PUT /api/v1/secrets/{id}/fields/{slug}/listdetails
PUT /api/v1/secrets/{id}/fields/{slug}/

The first two endpoints are used primarily by integrations and automation scripts. The latter two are used by the UI for list assignments and file attachments.

Start Time: November 15, 2025 6:00 PM Eastern
End Time: November 17, 2025 9:35 PM Eastern

Root Cause

In the latest SSC release, a bug fix was deployed introducing new logic intended to correctly apply the LauncherConnectAsSecretId parameter in cases where a privileged secret lacked a PuTTY launcher. While the intended scenario was resolved, the updated logic unintentionally caused Access Denied failures across the four endpoints listed above.

This issue was partially identified and corrected during QA; however, not all affected paths were detected. A relevant integration test existed, but the test selection logic used during merge-time impact analysis did not include that test. As a result, the problematic code path was not validated before deployment, allowing a narrower version of the issue to reach production.

The issue was resolved by reverting the affected code and redeploying the previous stable implementation.

Preventive Actions

Expand the impact-analysis logic used during code merges to ensure a broader set of integration tests is always executed, particularly those related to authorization logic.
Review and refine automated test coverage for LauncherConnectAsSecretId and related authorization flows.
Add targeted regression tests for all endpoints impacted in this incident to prevent similar authorization side effects.

Posted Nov 21, 2025 - 12:07 EST

Resolved

We are investigating reports from a subset of customers getting Access Denied errors when attempting to create or update secrets. We identified that the issue is caused due to a bug introduced in the latest SSC release. Our engineering teams are working to revert the changes to a previous stable release.

We apologize for any inconvenience this may cause and appreciate your patience during this time.

For assistance or updates, please contact our support team at https://support.delinea.com.

Posted Nov 17, 2025 - 05:30 EST