CVE-2025-22146
Improper authentication on SAML SSO process allows user impersonation in sentrySentry is a developer-first error tracking and performance monitoring tool. A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability. The Sentry SaaS fix was deployed on Jan 14, 2025. For self hosted users; if only a single organization is allowed `(SENTRY_SINGLE_ORGANIZATION = True)`, then no action is needed. Otherwise, users should upgrade to version 25.1.0 or higher. There are no known workarounds for this vulnerability.
We have discovered 42 live websites that are affected by CVE-2025-22146.
Affected Software
| Product |  Sentry Server |
| Category | Error and Exception Monitoring |
| Vulnerable Domains | 42 live websites (76% of Sentry Server install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 8 versions ( 53% of all versions) |
Common Weakness Enumeration
CWE-287 Improper AuthenticationDetails
- Published - Jan 15, 2025
- Updated - Jan 15, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-22146 United States | 14 websites |
 Germany | 9 websites |
 France | 4 websites |
 Russia | 3 websites |
 Switzerland | 2 websites |
 Hungary | 2 websites |
 Italy | 2 websites |
 Norway | 2 websites |
 Australia | 1 websites |
 China | 1 websites |
Website Distribution by TLD
Number of websites using CVE-2025-22146| .com | 13 websites |
| .it | 5 websites |
| .de | 2 websites |
| .ch | 1 websites |
| .cn | 1 websites |
| .co | 1 websites |
| .com.au | 1 websites |
| .eu | 1 websites |
| .io | 1 websites |
| .ru | 1 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-22146
Top websites that are affected by CVE-2025-22146. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.********.eu | Switzerland | ***,*** | |
| ***.***********.com | United States | ***,*** | |
| ********.com | Germany | *,***,*** | |
| ******.******.com | United States | *,***,*** | |
| *****.com | United States | *,***,*** | |
| *******.****.ch | Switzerland | *,***,*** | |
| ******.****.*.io |  GB | *,***,*** | |
| ******.****************.solutions | United States | *,***,*** | |
| ******.****.biz | Russia | **,***,*** | |
| ******.*******.com | United States | **,***,*** |
FAQ
CVE-2025-22146 is Improper Authentication in Sentry Server
A total of 42 websites have been identified as vulnerable to CVE-2025-22146, based on global website indexing conducted by WebTechSurvey.
The Sentry Server is affected by the CVE-2025-22146 vulnerability.
Sentry Server versions up to 25.1 are vulnerable to CVE-2025-22146.
CVE-2025-22146 is resolved in version 25.1 of Sentry Server.