Sentry SAML SSO User Account Takeover Vulnerability

A critical vulnerability exists in Sentry's SAML Single Sign-On (SSO) implementation, affecting versions 21.12.0 prior to 26.4.1. The vulnerability allows an attacker to take over any user account by exploiting a malicious SAML Identity Provider and targeting another organization within the same Sentry instance. To successfully execute this attack, the attacker must know the victim's email address. This issue has been patched in Sentry version 26.4.1.

Impact

Exploitation of this vulnerability allows for unauthorized user account takeover via the SAML SSO process.

Reproduction

To reproduce this vulnerability, an attacker must have access to an organization within the same Sentry instance as the target user. The attacker can then use a malicious SAML Identity Provider to assert an identity with a known victim email, linking it to their own account and effectively taking over the victim's account.

Remediation

Users should upgrade to Sentry version 26.4.1 or later. For self-hosted Sentry instances with multiple organizations, ensure that all organizations are updated to version 26.4.1. If only a single organization is allowed, no action is needed.