PYSEC-2026-1917

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/sentry-sdk/PYSEC-2026-1917.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1917
Aliases
Published
2026-07-07T14:34:36.976776Z
Modified
2026-07-07T17:47:52.959930142Z
Severity
  • 2.5 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
  • 1.8 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator
Summary
Sentry's Python SDK unintentionally exposes environment variables to subprocesses
Details

Impact

The bug in Sentry's Python SDK <2.8.0 results in the unintentional exposure of environment variables to subprocesses despite the env={} setting.

Details

In Python's subprocess calls, all environment variables are passed to subprocesses by default. However, if you specifically do not want them to be passed to subprocesses, you may use env argument in subprocess calls, like in this example:

>>> subprocess.check_output(["env"], env={"TEST":"1"})
b'TEST=1\n'

If you'd want to not pass any variables, you can set an empty dict:

>>> subprocess.check_output(["env"], env={})
b''

However, the bug in Sentry SDK <2.8.0 causes all environment variables to be passed to the subprocesses when env={} is set, unless the Sentry SDK's Stdlib integration is disabled. The Stdlib integration is enabled by default.

Patches

The issue has been patched in https://github.com/getsentry/sentry-python/pull/3251 and the fix released in sentry-sdk==2.8.0. The fix was also backported to sentry-sdk==1.45.1.

Workarounds

We strongly recommend upgrading to the latest SDK version. However, if it's not possible, and if passing environment variables to child processes poses a security risk for you, there are two options:

  1. In your application, replace env={} with the minimal dict env={"EMPTY_ENV":"1"} or similar.

OR

  1. Disable Stdlib integration:
    import sentry_sdk
    
    # Should go before sentry_sdk.init
    sentry_sdk.integrations._DEFAULT_INTEGRATIONS.remove("sentry_sdk.integrations.stdlib.StdlibIntegration")
    
    sentry_sdk.init(...)
    

References

References

Affected packages

PyPI / sentry-sdk

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.45.1
Introduced
2.0.0a1
Fixed
2.8.0

Affected versions

0.*
0.1.0rc1
0.1.0rc2
0.1.0rc3
0.1.0rc4
0.1.0rc5
0.1.0rc6
0.1.0rc7
0.1.0rc8
0.1.0rc9
0.1.0rc10
0.1.0rc11
0.1.0rc12
0.1.0rc13
0.1.0rc14
0.1.0rc15
0.1.0rc16
0.1.0
0.1.1
0.1.2
0.1.3
0.2.1
0.2.2
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.3.10
0.3.11
0.4.0
0.4.1
0.4.2
0.4.3
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.7.11
0.7.12
0.7.13
0.7.14
0.8.0
0.8.1
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.10.0
0.10.1
0.10.2
0.11.0
0.11.1
0.11.2
0.12.0
0.12.1
0.12.2
0.12.3
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.15.0
0.15.1
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.17.0
0.17.1
0.17.2
0.17.3
0.17.4
0.17.5
0.17.6
0.17.7
0.17.8
0.18.0
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.20.0
0.20.1
0.20.2
0.20.3
1.*
1.0.0
1.1.0
1.2.0
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.5.12
1.6.0
1.7.0
1.7.1
1.7.2
1.8.0
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
1.9.10
1.10.0
1.10.1
1.11.0
1.11.1
1.12.0
1.12.1
1.13.0
1.14.0
1.15.0
1.16.0
1.17.0
1.18.0
1.19.0
1.19.1
1.20.0
1.21.0
1.21.1
1.22.0
1.22.1
1.22.2
1.23.0
1.23.1
1.24.0
1.25.0
1.25.1
1.26.0
1.27.0
1.27.1
1.28.0
1.28.1
1.29.0
1.29.1
1.29.2
1.30.0
1.31.0
1.32.0
1.33.0
1.33.1
1.34.0
1.35.0
1.36.0
1.37.0
1.37.1
1.38.0
1.39.0
1.39.1
1.39.2
1.40.0
1.40.1
1.40.2
1.40.3
1.40.4
1.40.5
1.40.6
1.41.0
1.42.0
1.43.0
1.44.0
1.44.1
1.45.0
2.*
2.0.0a1
2.0.0a2
2.0.0rc1
2.0.0rc2
2.0.0rc3
2.0.0rc4
2.0.0rc5
2.0.0rc6
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.3.0
2.3.1
2.4.0
2.5.0
2.5.1
2.6.0
2.7.0
2.7.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/sentry-sdk/PYSEC-2026-1917.yaml"