High severityNVD Advisory· Published Sep 17, 2024· Updated Sep 18, 2024

Improper authorization on deletion of user issue alert notifications in sentry

CVE-2024-45605

Description

Sentry is a developer-first error tracking and performance monitoring platform. An authenticated user delete the user issue alert notifications for arbitrary users given a know alert ID. A patch was issued to ensure authorization checks are properly scoped on requests to delete user alert notifications. Sentry SaaS users do not need to take any action. Self-Hosted Sentry users should upgrade to version 24.9.0 or higher. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sentryPyPI	>= 23.9.0, < 24.9.0	24.9.0

Affected products

Getsentry/Sentryv5
Range: >=23.9.0, < 24.9.0

Patches

590258255bcb

fix(alerts): Prevent muting user alerts (#77093)

https://github.com/getsentry/sentrySeiji ChewSep 10, 2024via ghsa

commit

2 files changed · +44 −9

src/sentry/api/endpoints/user_notification_settings_options_detail.py+20 −6 modified

@@ -1,4 +1,5 @@
 from rest_framework import status
+from rest_framework.exceptions import NotFound
 from rest_framework.request import Request
 from rest_framework.response import Response
 
@@ -19,13 +20,26 @@ class UserNotificationSettingsOptionsDetailEndpoint(UserEndpoint):
     # TODO(Steve): Make not private when we launch new system
     private = True
 
-    def delete(self, request: Request, user: User, notification_option_id: str) -> Response:
+    def convert_args(
+        self,
+        request: Request,
+        user_id: int | str | None = None,
+        *args,
+        notification_option_id: int,
+        **kwargs,
+    ):
+        args, kwargs = super().convert_args(request, user_id, *args, **kwargs)
+        user = kwargs["user"]
         try:
-            option = NotificationSettingOption.objects.get(
-                id=notification_option_id,
-            )
+            option = NotificationSettingOption.objects.get(id=notification_option_id, user=user)
         except NotificationSettingOption.DoesNotExist:
-            return Response(status=status.HTTP_404_NOT_FOUND)
+            raise NotFound(detail="User notification setting does not exist")
 
-        option.delete()
+        kwargs["notification_setting_option"] = option
+        return args, kwargs
+
+    def delete(
+        self, request: Request, user: User, notification_setting_option: NotificationSettingOption
+    ) -> Response:
+        notification_setting_option.delete()
         return Response(status=status.HTTP_204_NO_CONTENT)

tests/sentry/api/endpoints/test_user_notification_settings_options_details.py+24 −3 modified

@@ -24,22 +24,43 @@ def setUp(self):
         super().setUp()
         self.login_as(self.user)
 
-        option = NotificationSettingOption.objects.create(
+        self.option = NotificationSettingOption.objects.create(
             user_id=self.user.id,
             scope_type=NotificationScopeEnum.ORGANIZATION.value,
             scope_identifier=self.organization.id,
             type=NotificationSettingEnum.ISSUE_ALERTS.value,
             value=NotificationSettingsOptionEnum.ALWAYS.value,
         )
+
+    def test_simple(self):
         self.get_success_response(
             "me",
-            option.id,
+            self.option.id,
         )
-        assert not NotificationSettingOption.objects.filter(id=option.id).exists()
+        assert not NotificationSettingOption.objects.filter(id=self.option.id).exists()
 
     def test_invalid_option(self):
         self.get_error_response(
             "me",
             "123",
             status_code=status.HTTP_404_NOT_FOUND,
         )
+
+    def test_cannot_delete_other_users_setting(self):
+        victim_user = self.create_user()
+        victim_org = self.create_organization(owner=victim_user)
+        victim_option = NotificationSettingOption.objects.create(
+            user_id=victim_user.id,
+            scope_type=NotificationScopeEnum.ORGANIZATION.value,
+            scope_identifier=victim_org.id,
+            type=NotificationSettingEnum.ISSUE_ALERTS.value,
+            value=NotificationSettingsOptionEnum.ALWAYS.value,
+        )
+
+        response = self.get_error_response(
+            "me",
+            victim_option.id,
+            status_code=status.HTTP_404_NOT_FOUND,
+        )
+        assert response.data["detail"] == "User notification setting does not exist"
+        assert NotificationSettingOption.objects.filter(id=victim_option.id).exists()

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-54m3-95j9-v89jghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-45605ghsaADVISORY
github.com/getsentry/sentry/commit/590258255bcb3a5fa4c56f21297b6c99131cfb9dghsaWEB
github.com/getsentry/sentry/pull/77093ghsax_refsource_MISCWEB
github.com/getsentry/sentry/security/advisories/GHSA-54m3-95j9-v89jghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000