Potential vulnerability bypassing GWC data security
In certain GeoServer configuration setups, it's possible to bypass the "Enable Data Security" option in GeoWebCache and gain access to cached WMS tiles that should be private.
I can provide more detailed information on the types of configurations that exhibit this issue, but since this could be considered a security issue, I thought I'd see how you wanted to proceed first. I also have a potential patch for this bug that I can share. So let me know if you'd like for me to share more details and the patch in private or in public.