Sso — CraftedSignal Threat Feed

Sentry SAML SSO Improper Authentication Allows User Identity Linking

hello@craftedsignal.io — Thu, 30 Apr 2026 20:45:20 +0000

A critical vulnerability, CVE-2026-42354, has been identified in the SAML Single Sign-On (SSO) implementation of Sentry, potentially allowing an attacker to compromise user accounts. This vulnerability stems from improper authentication during the SAML SSO process, leading to the possibility of user identity linking. The vulnerability affects Sentry versions 21.12.0 up to and including 26.4.0. To exploit this vulnerability, an attacker requires a malicious SAML Identity Provider and access to another organization within the same Sentry instance, coupled with knowledge of the victim’s email address. This attack vector poses a significant risk to self-hosted Sentry instances that are configured with multiple organizations (SENTRY_SINGLE_ORGANIZATION = False), where a malicious user possesses the necessary permissions to modify SSO settings for a different organization. Sentry SaaS has already been patched in April.

Attack Chain

The attacker gains access to a Sentry instance that has multiple organizations configured.
The attacker obtains permissions to modify the SAML SSO settings of at least one organization within the Sentry instance.
The attacker crafts a malicious SAML Identity Provider (IdP) designed to inject or manipulate user identity attributes.
The attacker uses the malicious SAML IdP to initiate a single sign-on (SSO) process to a Sentry organization they control.
The attacker provides the email address of the targeted victim, linking the victim’s identity in the Sentry instance to the malicious SAML IdP.
The victim attempts to log in to their Sentry account through SAML SSO.
Due to the vulnerability, Sentry incorrectly authenticates the victim based on the attributes provided by the attacker’s malicious SAML IdP.
The attacker successfully takes over the victim’s account, gaining access to sensitive data and functionalities associated with the victim’s privileges.

Impact

Successful exploitation of this vulnerability can lead to complete account takeover, resulting in unauthorized access to sensitive project data, configuration settings, and potentially even administrative privileges within the Sentry instance. This poses a substantial risk to organizations using vulnerable Sentry versions, as attackers could exfiltrate sensitive information, modify configurations, or disrupt services. The impact is particularly severe for self-hosted Sentry instances with multiple organizations, where a single compromised account could lead to broader access across the entire platform.

Recommendation

Upgrade self-hosted Sentry instances to version 26.4.1 or higher to patch CVE-2026-42354.
Enable user account-based two-factor authentication (2FA) for all Sentry accounts as a preventative measure, as mentioned in the Workarounds section.
Monitor Sentry audit logs for any unauthorized changes to SAML SSO configurations, particularly within multi-organization setups, to detect potential exploitation attempts.
Review and restrict permissions for modifying SSO settings across all organizations to minimize the attack surface, as described in the Overview.

Sentry SAML SSO Improper Authentication Vulnerability

hello@craftedsignal.io — Sat, 18 Apr 2026 12:00:00 +0000

A critical vulnerability (CVE-2026-27197) has been identified in the SAML Single Sign-On (SSO) implementation within Sentry, a popular error tracking and performance monitoring platform. This vulnerability allows a malicious actor to potentially take over user accounts by leveraging a rogue SAML Identity Provider (IdP) in conjunction with another organization configured within the same Sentry instance. The attacker needs to know the victim’s email address for successful exploitation. This flaw primarily impacts self-hosted Sentry deployments with multiple organizations enabled (SENTRY_SINGLE_ORGANIZATION = False) and where a malicious user possesses the ability to modify SSO settings for another organization. Sentry SaaS was patched on February 18, 2026. Self-hosted users should upgrade to version 26.2.0 or later to remediate this vulnerability.

Attack Chain

The attacker gains access to a Sentry instance that hosts multiple organizations. This could be through compromised credentials or other initial access vectors.
The attacker identifies a target user’s email address within the Sentry instance.
The attacker gains permissions to modify SSO settings for an organization within the Sentry instance.
The attacker configures a malicious SAML Identity Provider (IdP) for the organization they control. This IdP is designed to spoof user identities.
The victim attempts to log in to Sentry via SAML SSO.
Sentry redirects the victim to the attacker’s malicious SAML IdP for authentication.
The attacker’s malicious SAML IdP asserts the victim’s identity (using the known email address) to Sentry, but the assertion is illegitimate and controlled by the attacker.
Sentry, due to the vulnerability, improperly validates the SAML assertion, allowing the attacker to successfully authenticate as the victim and gain unauthorized access to their account.

Impact

Successful exploitation of this vulnerability allows an attacker to completely take over a targeted user’s Sentry account. This grants the attacker the ability to access sensitive project data, modify configurations, invite/remove team members, and potentially disrupt the entire Sentry instance’s operations. The vulnerability affects Sentry versions 21.12.0 up to, but not including, 26.2.0. The number of potential victims depends on the number of vulnerable Sentry instances with multiple organizations configured and the attacker’s ability to modify SSO settings.

Recommendation

Upgrade self-hosted Sentry instances to version 26.2.0 or later to patch CVE-2026-27197.
Enable two-factor authentication (2FA) on all Sentry accounts. Users can manage this in Account Settings > Security, as mentioned in the helpdesk article.
Monitor Sentry logs for unusual SSO configuration changes, specifically modifications to SAML Identity Provider settings. Deploy a rule that detects modifications to the SENTRY_SINGLE_ORGANIZATION setting, as this is a prerequisite for exploitation.
Implement the Sigma rule Detect Suspicious SAML Authentication to identify potential unauthorized SAML authentication attempts based on unusual IP addresses or user agents.

Critical Certificate Validation Vulnerability in CISCO Webex Allows User Impersonation

hello@craftedsignal.io — Fri, 17 Apr 2026 09:19:48 +0000

A critical vulnerability, CVE-2026-20184, has been identified in the Single Sign-On (SSO) implementation with Control Hub in CISCO Webex versions 39.6 through 45.4. This improper certificate validation issue allows an unauthenticated, remote attacker to bypass security controls and impersonate legitimate users. CISCO Webex is a widely used cloud-based platform for video meetings and collaboration. Successful exploitation could lead to unauthorized access to sensitive information, disruption of services, and a complete compromise of the CIA triad. The vulnerability poses a significant risk to organizations relying on Webex for internal and external communications. Public proof-of-concept or proof-of-exploitation code is not yet available, but the severity and ease of exploitation warrant immediate attention and patching.

Attack Chain

The attacker identifies a vulnerable CISCO Webex instance running a version between 39.6 and 45.4.
The attacker crafts a malicious token designed to exploit the improper certificate validation flaw in the SSO with Control Hub.
The attacker connects to a Webex service endpoint, presenting the crafted token.
The vulnerable Webex instance fails to properly validate the certificate associated with the token.
The attacker is authenticated as a targeted user without providing valid credentials.
The attacker gains unauthorized access to the targeted user’s sensitive information, including meeting schedules, contact lists, and potentially recorded meetings.
The attacker joins Webex meetings without authorization, potentially eavesdropping on confidential conversations or disrupting the meeting.
The attacker escalates privileges within the Webex environment by leveraging the compromised user’s access rights, potentially gaining administrative control.

Impact

Successful exploitation of CVE-2026-20184 can lead to severe consequences. Attackers can impersonate any user within the Webex service, gaining unauthorized access to confidential meetings, sensitive data, and internal communications. This can result in a breach of confidentiality, integrity, and availability, potentially leading to significant financial losses, reputational damage, and legal liabilities. The number of affected organizations could be substantial given Webex’s widespread use across various sectors.

Recommendation

Immediately patch all CISCO Webex installations to a version beyond 45.4 to remediate CVE-2026-20184 (Reference: CISCO Security Advisory).
Upscale monitoring and detection capabilities to identify any suspicious activity related to unauthorized access attempts within the CISCO Webex environment, as recommended by the CCB (Reference: CCB Advisory).
Implement the provided Sigma rule to detect suspicious authentication patterns indicative of exploitation attempts against Webex (Reference: Sigma rule - “Webex Suspicious Authentication Pattern”).
Enable and review Webex access logs for unusual login attempts or access patterns originating from unexpected locations (Reference: Webex access logs).

Admidio SAML Assertion Consumer Service (ACS) URL Validation Bypass

hello@craftedsignal.io — Mon, 29 Jan 2024 12:00:00 +0000

A vulnerability exists in Admidio’s SAML IdP implementation within the SSO module (versions 5.0.8 and earlier) that allows for bypassing Assertion Consumer Service (ACS) URL validation. The IdP uses the AssertionConsumerServiceURL value directly from incoming SAML AuthnRequest messages as the destination for the SAML response without verifying it against the registered smc_acs_url for the corresponding service provider client. An attacker can exploit this by crafting a SAML AuthnRequest with the Entity ID of a registered SP client and an attacker-controlled AssertionConsumerServiceURL. This causes the IdP to send the signed SAML response, containing sensitive user identity attributes (login name, email, roles, profile fields), to a URL controlled by the attacker. The default configuration does not require signed AuthnRequests, simplifying exploitation to only needing the SP’s Entity ID.

Attack Chain

The attacker identifies the Entity ID of a registered SAML service provider (SP) client within the Admidio IdP. This is often publicly available from the SP’s metadata endpoint.
The attacker crafts a malicious SAML AuthnRequest. The AuthnRequest includes the legitimate SP Entity ID as the Issuer, but sets the AssertionConsumerServiceURL to a URL controlled by the attacker (e.g., https://attacker.test/steal-saml).
The attacker sends the crafted SAML AuthnRequest to Admidio’s SSO endpoint (/modules/sso/index.php/saml/sso) using the HTTP-POST binding, typically by tricking a logged-in user into accessing a webpage containing an auto-submitting form.
Admidio’s SSO module receives the AuthnRequest. If signature validation is not enforced for the SP, the request proceeds without signature verification.
If the user is already authenticated with the Admidio IdP, the IdP generates a signed SAML response containing the user’s identity and attributes. The destination of the SAML response is set to the attacker-controlled AssertionConsumerServiceURL taken directly from the AuthnRequest.
Admidio renders an auto-submitting HTML form in the victim’s browser, which POSTs the signed SAML response to the attacker’s URL (https://attacker.test/steal-saml).
The attacker’s server receives the SAML response, extracting the user’s login name, email, full name, roles, and any other profile fields included in the assertion.
The attacker replays the stolen SAML assertion to the legitimate SP to authenticate as the victim, gaining unauthorized access to the SP application and its resources.

Impact

Successful exploitation of this vulnerability allows an attacker to steal user identities and impersonate victims on legitimate service provider applications. This leads to unauthorized access to user accounts and potential access to sensitive data and resources within those applications. The scope change enables impersonation across separate service provider applications. The vulnerability is exploitable without requiring knowledge of cryptographic keys if smc_require_auth_signed is not enabled, making it easier to exploit. All versions of Admidio up to and including 5.0.8 are affected.

Recommendation

Apply the vendor-supplied patch described in GHSA-p9w9-87c8-m235 by upgrading to a version of Admidio greater than 5.0.8.
As a temporary mitigation, enable smc_require_auth_signed and smc_validate_signatures for all SAML clients to enforce signature validation, mitigating attacks from unauthenticated sources.
Monitor web server logs for POST requests to the Admidio SSO endpoint (/modules/sso/index.php/saml/sso) with suspicious SAMLRequest parameters containing attacker-controlled AssertionConsumerServiceURL values, which can be detected using the “Admidio SAML AuthnRequest ACS URL Override” Sigma rule.
Monitor network traffic for connections to attacker-controlled URLs, such as https://attacker.test/steal-saml, which may indicate successful exploitation and the exfiltration of SAML responses as listed in the IOC table.