diff --git a/manila/api/v2/share_export_locations.py b/manila/api/v2/share_export_locations.py
index babbb55e72..8a81c2046e 100644
--- a/manila/api/v2/share_export_locations.py
+++ b/manila/api/v2/share_export_locations.py
@@ -20,6 +20,7 @@ from manila.api.views import export_locations as export_locations_views
 from manila.db import api as db_api
 from manila import exception
 from manila.i18n import _
+from manila import policy
 
 
 class ShareExportLocationController(wsgi.Controller):
@@ -32,7 +33,9 @@ class ShareExportLocationController(wsgi.Controller):
 
     def _verify_share(self, context, share_id):
         try:
-            db_api.share_get(context, share_id)
+            share = db_api.share_get(context, share_id)
+            if not share['is_public']:
+                policy.check_policy(context, 'share', 'get', share)
         except exception.NotFound:
             msg = _("Share '%s' not found.") % share_id
             raise exc.HTTPNotFound(explanation=msg)
diff --git a/manila/api/v2/share_instance_export_locations.py b/manila/api/v2/share_instance_export_locations.py
index 38af170670..be9c9c35b4 100644
--- a/manila/api/v2/share_instance_export_locations.py
+++ b/manila/api/v2/share_instance_export_locations.py
@@ -21,6 +21,7 @@ from manila.api.views import export_locations as export_locations_views
 from manila.db import api as db_api
 from manila import exception
 from manila.i18n import _
+from manila import policy
 
 
 class ShareInstanceExportLocationController(wsgi.Controller):
@@ -33,7 +34,12 @@ class ShareInstanceExportLocationController(wsgi.Controller):
 
     def _verify_share_instance(self, context, share_instance_id):
         try:
-            db_api.share_instance_get(context, share_instance_id)
+            share_instance = db_api.share_instance_get(context,
+                                                       share_instance_id,
+                                                       with_share_data=True)
+            if not share_instance['is_public']:
+                policy.check_policy(context, 'share_instance', 'show',
+                                    share_instance)
         except exception.NotFound:
             msg = _("Share instance '%s' not found.") % share_instance_id
             raise exc.HTTPNotFound(explanation=msg)
diff --git a/releasenotes/notes/bug-1654598-enforce-policy-checks-for-share-export-locations-a5cea1ec123b1469.yaml b/releasenotes/notes/bug-1654598-enforce-policy-checks-for-share-export-locations-a5cea1ec123b1469.yaml
new file mode 100644
index 0000000000..5af1028717
--- /dev/null
+++ b/releasenotes/notes/bug-1654598-enforce-policy-checks-for-share-export-locations-a5cea1ec123b1469.yaml
@@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Closes a gap where a user can see the export locations for another user's
+    share if the uuid of the other share is leaked, stolen, or (improbably)
+    guessed.