CVE-2025-22146

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-22146
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22146.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-22146
Aliases
Published
2025-01-15T19:57:59.734Z
Modified
2026-04-10T05:22:42.115947Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
Improper authentication on SAML SSO process allows user impersonation in sentry
Details

Sentry is a developer-first error tracking and performance monitoring tool. A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability. The Sentry SaaS fix was deployed on Jan 14, 2025. For self hosted users; if only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Otherwise, users should upgrade to version 25.1.0 or higher. There are no known workarounds for this vulnerability.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/22xxx/CVE-2025-22146.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Git / github.com/getsentry/sentry

Affected ranges

Type
GIT
Repo
https://github.com/getsentry/sentry
Events
Introduced
5cd2287820d7a1314c0437682de8d0e79ad316b2
Fixed
7ca1e3af4f1406e7cab6a8af79f8fe5fce9978f8
Database specific 
{
    "versions": [
        {
            "introduced": "21.12.0"
        },
        {
            "fixed": "25.1.0"
        }
    ]
}

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22146.json"