CVE CyberSecurity Database News

CVE-2023-36826 - How Sentry’s Authorization Flaw Exposed Debug Artifacts (And What You Need To Know)

Poster -

Sentry is a popular platform for error tracking and performance monitoring used by thousands of organizations. In 2023, a serious vulnerability was discovered in Sentry's debug and artifact bundle system that could allow attackers to download confidential files from organizations they weren't part of—all they needed was a valid bundle ID. This long read will break down the vulnerability (CVE-2023-36826), how it worked, and what steps to take to protect your projects.

What Is CVE-2023-36826?

CVE-2023-36826 is a security flaw that impacted Sentry installations from version 8.21. up to 23.5.1. The bug allows any authenticated Sentry user to download debug or artifact bundles (these are files developers upload to help debug or track errors, like JavaScript sourcemaps or symbol files needed to decode crash reports).

No special permissions required, aside from basic authentication

*Note*: This bug does not impact Sentry Cloud (SaaS) users, only self-hosted Sentry deployments.

Internal debug data like file names and structure

If leaked to a competitor or attacker, these bundles can help map out your codebase, find security flaws, or expose confidential behaviors.

Vulnerable Endpoint and Exploit Details

At the heart of the bug is a missing authorization check.

When you upload a debug bundle to Sentry, it gets a unique ID—like a hash or UUID. Normally, only people on your project should be able to download it. But the vulnerable endpoint didn’t care which organization or project the requesting user belonged to. It only checked if the requester was logged in—not that they had access to that project.

Vulnerable code pattern (Py)

Here’s a simplified version of what the vulnerable endpoint logic looked like (not the actual Sentry code):

# Pseudocode for Sentry's vulnerable endpoint
@app.route('/api//projects/<org_slug>/<proj_slug>/files/dsyms/bundles/<bundle_id>/')
@login_required
def download_debug_bundle(org_slug, proj_slug, bundle_id):
    # Find the bundle by ID, regardless of org or project
    bundle = get_bundle(bundle_id)
    if not bundle:
        return 404
    
    # MISSING: Check if the user has access to the org/project

    return send_file(bundle.path)

The critical missing piece:
There was NO check like user.has_access_to(bundle.org, bundle.project)

Craft the URL for artifact download, using any org or project slug (doesn’t matter!)

3. Send GET request (with authentication) to /api//projects/<any_org>/<any_project>/files/dsyms/bundles/<bundle_id>/
4. Receive file download, even if they don’t belong to that org/project.

Example Exploit with curl

curl -H "Authorization: Bearer <valid_token>" \
     https://sentry.example.com/api//projects/foo/bar/files/dsyms/bundles/2b7b26a1-xxxx-xxxx-yyyy-zzzzzzzz/

Only the bundle ID (2b7b26a1-...) must exist.

- If the bundle exists: File downloads even if you can’t access foo/bar normally.

Patched in version: 23.5.2

The fix was to properly scope authorization checks for debug/artifact bundle downloads. Now, Sentry verifies that:

The user has permission to access the relevant org and project associated with the bundle

So, if you try to fetch a bundle for a project/org you don’t belong to, Sentry returns "403 Forbidden".

Fixed code logic (pseudo)

if not user.has_access_to(bundle.org, bundle.project):
    return 403  # Forbidden, access denied

Guides

- Official Sentry Self-hosted Docs
- Release Notes v23.5.2

3. Restart all Sentry worker/web processes after upgrade.

References

- CVE-2023-36826 at NVD
- Sentry Security Release May 2023
- Sentry Self-Hosted Upgrade Guide

Summary Table

| Action Needed | Cloud (SaaS) | Self-Hosted |
|-----------------|--------------|-------------|
| Patch Needed? | No | Yes* |
| Minimum Version | N/A | 23.5.2 |

Final Thoughts

Authorization bugs like CVE-2023-36826 are deceptively simple but potentially devastating. If you run Sentry on your own hardware, upgrade NOW to keep your debug bundles and sourcemaps out of the wrong hands. If you use Sentry Cloud, relax—this patch is already applied.

Stay safe, and always vet endpoints handling sensitive data!


If you found this writeup helpful, check out the official references above—and share with others running self-hosted Sentry!


*(This post is based on public advisories, with simplified and exclusive explanations for easier understanding.)*

Timeline

Published on: 07/25/2023 19:15:00 UTC
Last modified on: 08/02/2023 15:57:00 UTC