With a known valid invite link (i.e. not already accepted or expired) an unauthenticated attacker can manipulate the cookie to allow the same invite link to be reused on multiple accounts when joining an organization.
You can find details in our Github Security Advisory.
No action is necessary for Sentry SaaS users.
Self-hosted Sentry installs should upgrade to version 22.11.0 or higher. As a workaround, administrators can disable the invite functionality until they are ready to deploy the patched version by editing their sentry.conf.py
file (usually located at ~/.sentry/
).
Add the following line into sentry.conf.py
:
SENTRY_FEATURES["organizations:invite-members"] = False
No. Past invite links that have already been accepted or expired are not vulnerable.
No. Out of caution, you can opt to rotate these links if you suspect they may have been intercepted.
Only those with the Owner role, Manager role, or the recipient of the invite can see the link.
Here’s a quick look at how Sentry handles your personal information (PII).
×We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?We may disclose your PII to the following type of recipients:
You may have the following rights related to your PII:
If you have any questions or concerns about your privacy at Sentry, please email us at compliance@sentry.io.
If you are a California resident, see our Supplemental notice.