With a known valid invite link (i.e. not already accepted or expired) an unauthenticated attacker can manipulate the cookie to allow the same invite link to be reused on multiple accounts when joining an organization.
You can find details in our Github Security Advisory.
No action is necessary for Sentry SaaS users.
Self-hosted Sentry installs should upgrade to version 22.11.0 or higher. As a workaround, administrators can disable the invite functionality until they are ready to deploy the patched version by editing their
sentry.conf.py file (usually located at
Add the following line into
SENTRY_FEATURES["organizations:invite-members"] = False
No. Past invite links that have already been accepted or expired are not vulnerable.
No. Out of caution, you can opt to rotate these links if you suspect they may have been intercepted.
Only those with the Owner role, Manager role, or the recipient of the invite can see the link.