Coordinated Disclosure Timeline

• 2025-12-23: Sent report to security@sentry.io
• 2026-01-02: Sentry fixed this as vulnerability, but decided not to issue a CVE or send a vulnerability report.
• 2026-02-10: CVE-2026-26004 assigned by GitHub.

Summary

A cross-organization Insecure Direct Object Reference (IDOR) vulnerability has been identified in Sentry’s GroupEventJsonView endpoint.

Project

Sentry

Tested Version

v25.12.0

Details

Cross-organization IDOR in GroupEventJsonView (GHSL-2025-130)

This vulnerability allows any authenticated user with event:read permission in their own organization to access sensitive event data from any other organization by manipulating at least the group_id parameter while keeping their own organization slug in the URL path.

Related code:

GroupEventJsonView’s get method does not provide an organization to the get_group_with_redirect function:

class GroupEventJsonView(OrganizationView):
    required_scope = "event:read"

    def get(self, request: HttpRequest, organization, group_id, event_id_or_latest) -> HttpResponse:
        try:
            # TODO(tkaemming): This should *actually* redirect, see similar
            # comment in ``GroupEndpoint.convert_args``.
            group, _ = get_group_with_redirect(group_id) # <--- no organization provided

The authorization model for the frontend binds only to the active organization context, not the resource:

• get_access uses the active organization.
• has_permission checks required_scope on request.access.
• convert_args injects the active organization only.

=> There is no enforcement that the group_id in the URL belongs to the injected organization.

Proof of Concept

1. Create two different (non-admin) users victim and attacker belonging to two distinct organizations with URL slugs victimorg and attackerorg.
2. In the victimorg: Create an issue with at least one event (e.g. using sentry-cli)
3. Note the issue/group ID, e.g. 12 (the group_ids are guessable with relative ease due to them being consecutive numbers.)
4. Login as the attacker.
5. Visit following URL as the attacker using the noted issue/group ID: <sentry-host>/organizations/attackerorg/issues/{victim_group_id}/events/latest/json/

=> The attacker receives complete event data from the victim organization.

curl request:

curl -X GET \
  '<sentry-host>/organizations/{attacker_org}/issues/{victim_group_id}/events/latest/json/' \
  -H 'Cookie: sentrysid=<attacker_session_token>' \
  -H 'Accept: application/json'

Impact

Unauthorized access to (potentially) sensitive event data across organizational boundaries.

CWEs

• CWE-639: Authorization Bypass Through User-Controlled Key

CVE

• CVE-2026-26004 - GHSL-2025-130

Credit

These issues were discovered by the AI agent developed by the GitHub Security Lab and reviewed by GHSL team members @m-y-mo (Man Yue Mo) and @p- (Peter Stöckli).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2025-130 in any communication regarding this issue.