A cross-tenant leak happens when data from one customer, or tenant, becomes visible to another customer inside the same shared platform. In cloud services, SaaS, and multi-tenant AI systems, each tenant is supposed to have separate access controls, storage boundaries, and identity checks. When those checks fail, private content such as files, prompts, chat logs, metadata, or configuration data can be exposed across organizational lines.
This matters because a single mistake in the control plane can defeat the isolation that many customers rely on. Attackers may exploit missing ownership checks, insecure file previews, broken authorization on APIs, or misrouted telemetry to read data they should never see. Defenders reduce the risk by enforcing tenant-aware authorization on every request, isolating storage and logs, testing for IDOR-style access flaws, and treating previews, traces, and exports as sensitive. In practice, cross-tenant leaks are a high-impact class of cloud bug because they can quietly turn a shared service into a source of unauthorized disclosure.