diff --git a/api/src/Storage/Tracking.php b/api/src/Storage/Tracking.php
index 21d4d1e584..9838f5afc5 100644
--- a/api/src/Storage/Tracking.php
+++ b/api/src/Storage/Tracking.php
@@ -254,6 +254,10 @@ abstract class Tracking
 			{
 				if (in_array($field['type'], Customfields::$non_printable_fields)) continue;
 
+				// Sometimes cached customfields let private fields the user can access
+				// leak through.  Make sure we don't expose them.
+				if ($field['private']) continue;
+
 				if (!$header_done)
 				{
 					$details['custom'] = array(