diff --git a/api/src/org/labkey/api/exp/api/ExperimentService.java b/api/src/org/labkey/api/exp/api/ExperimentService.java
index eb195043dee..b744dcbf3ca 100644
--- a/api/src/org/labkey/api/exp/api/ExperimentService.java
+++ b/api/src/org/labkey/api/exp/api/ExperimentService.java
@@ -163,6 +163,9 @@ enum DataTypeForExclusion
     @Nullable
     ExpRun getExpRun(int rowId);
 
+    @Nullable
+    ExpRun getExpRun(int rowId, @Nullable Container container);
+
     List<? extends ExpRun> getExpRuns(Collection<Integer> rowIds);
 
     @Nullable
diff --git a/api/src/org/labkey/api/view/ViewServlet.java b/api/src/org/labkey/api/view/ViewServlet.java
index 2f446760067..48273010c3b 100644
--- a/api/src/org/labkey/api/view/ViewServlet.java
+++ b/api/src/org/labkey/api/view/ViewServlet.java
@@ -506,6 +506,12 @@ public void setActionURL(ActionURL actionURL)
             return _actionURL.getParameterMap();
         }
 
+        @Override
+        public String getParameter(@NotNull String name)
+        {
+            return _actionURL.getParameter(name);
+        }
+
         @Override
         public @NotNull String @NotNull [] getParameterValues(@NotNull String name)
         {
diff --git a/assay/api-src/org/labkey/api/assay/nab/view/DilutionGraphAction.java b/assay/api-src/org/labkey/api/assay/nab/view/DilutionGraphAction.java
index 43787be934c..935e8f9d70d 100644
--- a/assay/api-src/org/labkey/api/assay/nab/view/DilutionGraphAction.java
+++ b/assay/api-src/org/labkey/api/assay/nab/view/DilutionGraphAction.java
@@ -44,7 +44,8 @@ public ModelAndView getView(GraphForm form, BindException errors) throws Excepti
     {
         if (form.getRowId() == -1)
             throw new NotFoundException("Run ID not specified.");
-        ExpRun run = ExperimentService.get().getExpRun(form.getRowId());
+        // GitHub Kanban #1892: Resolve the run scoped to the current container
+        ExpRun run = ExperimentService.get().getExpRun(form.getRowId(), getContainer());
         if (run == null)
             throw new NotFoundException("Run " + form.getRowId() + " does not exist.");
 
diff --git a/assay/api-src/org/labkey/api/assay/nab/view/GraphSelectedAction.java b/assay/api-src/org/labkey/api/assay/nab/view/GraphSelectedAction.java
index 2db8d7c6c69..4c5e9a033e2 100644
--- a/assay/api-src/org/labkey/api/assay/nab/view/GraphSelectedAction.java
+++ b/assay/api-src/org/labkey/api/assay/nab/view/GraphSelectedAction.java
@@ -71,6 +71,8 @@ public ModelAndView getView(FormType form, BindException errors) throws Exceptio
                 objectIds[idx++] = Integer.parseInt(objectIdString);
         }
 
+        // GitHub Issue #1892: (NAB-9) The object ids come straight from the request and getDilutionSummaries() resolves them to runs
+        verifyObjectIdsReadable(objectIds);
         Set<Integer> cutoffSet = new HashSet<>();
         DilutionAssayProvider provider = (DilutionAssayProvider) AssayService.get().getProvider(_protocol);
         Map<DilutionSummary, DilutionAssayRun> summaries = provider.getDataHandler().getDilutionSummaries(getUser(), form.getFitTypeEnum(), objectIds);
@@ -92,6 +94,13 @@ public ModelAndView getView(FormType form, BindException errors) throws Exceptio
         return new VBox(new AssayHeaderView(_protocol, provider, false, true, null), multiGraphView);
     }
 
+    /**
+     * Verify that the current user may view each of the requested object ids before any run data is loaded.
+     */
+    protected void verifyObjectIdsReadable(int[] ids) throws Exception
+    {
+    }
+
     protected abstract GraphSelectedBean createSelectionBean(ViewContext context, ExpProtocol protocol, int[] cutoffs,
                                                              int[] dataObjectIds, String caption, String title);
 
diff --git a/assay/api-src/org/labkey/api/assay/nab/view/MultiGraphAction.java b/assay/api-src/org/labkey/api/assay/nab/view/MultiGraphAction.java
index 09924804c8c..ef6bbb09afc 100644
--- a/assay/api-src/org/labkey/api/assay/nab/view/MultiGraphAction.java
+++ b/assay/api-src/org/labkey/api/assay/nab/view/MultiGraphAction.java
@@ -16,13 +16,13 @@
 package org.labkey.api.assay.nab.view;
 
 import org.labkey.api.action.SimpleViewAction;
+import org.labkey.api.assay.AssayService;
 import org.labkey.api.assay.dilution.DilutionAssayProvider;
 import org.labkey.api.assay.dilution.DilutionAssayRun;
 import org.labkey.api.assay.dilution.DilutionSummary;
 import org.labkey.api.assay.nab.NabGraph;
 import org.labkey.api.exp.api.ExpProtocol;
 import org.labkey.api.exp.api.ExperimentService;
-import org.labkey.api.assay.AssayService;
 import org.labkey.api.view.NavTree;
 import org.springframework.validation.BindException;
 import org.springframework.web.servlet.ModelAndView;
@@ -35,12 +35,13 @@
  * User: klum
  * Date: 6/11/13
  */
-public class MultiGraphAction<FormType extends GraphSelectedForm> extends SimpleViewAction<FormType>
+public abstract class MultiGraphAction<FormType extends GraphSelectedForm> extends SimpleViewAction<FormType>
 {
     @Override
     public ModelAndView getView(FormType form, BindException errors) throws Exception
     {
         int[] ids = form.getId();
+        verifyObjectIdsReadable(ids);
         ExpProtocol protocol = ExperimentService.get().getExpProtocol(form.getProtocolId());
         DilutionAssayProvider provider = (DilutionAssayProvider)AssayService.get().getProvider(protocol);
         Map<DilutionSummary, DilutionAssayRun> summaries = provider.getDataHandler().getDilutionSummaries(getUser(), form.getFitTypeEnum(), ids);
@@ -63,6 +64,13 @@ public ModelAndView getView(FormType form, BindException errors) throws Exceptio
         return null;
     }
 
+    /**
+     * Verify that the current user may view each of the requested object ids before any run data is loaded.
+     */
+    protected void verifyObjectIdsReadable(int[] ids) throws Exception
+    {
+    }
+
     protected NabGraph.Config getGraphConfig(FormType form)
     {
         NabGraph.Config config = new NabGraph.Config();
diff --git a/experiment/src/org/labkey/experiment/api/ExperimentServiceImpl.java b/experiment/src/org/labkey/experiment/api/ExperimentServiceImpl.java
index fe53e505d8f..2ee92e64f89 100644
--- a/experiment/src/org/labkey/experiment/api/ExperimentServiceImpl.java
+++ b/experiment/src/org/labkey/experiment/api/ExperimentServiceImpl.java
@@ -374,10 +374,23 @@ public void clearDataClassCache(@Nullable Container c)
 
     @Override
     public @Nullable ExpRunImpl getExpRun(int rowId)
+    {
+        return getExpRun(rowId, null);
+    }
+
+    @Override
+    public @Nullable ExpRunImpl getExpRun(int rowId, @Nullable Container container)
     {
         SimpleFilter filter = new SimpleFilter(FieldKey.fromParts(ExpRunTable.Column.RowId.name()), rowId);
         ExperimentRun run = new TableSelector(getTinfoExperimentRun(), filter, null).getObject(ExperimentRun.class);
-        return run == null ? null : new ExpRunImpl(run);
+        if (run == null)
+            return null;
+
+        // GitHub Kanban #1892: if container provided, ensure the run belongs to the container
+        if (container != null && !run.getContainer().equals(container))
+            return null;
+
+        return new ExpRunImpl(run);
     }
 
     private List<ExpRunImpl> getExpRuns(SimpleFilter filter)