Environment
SaaS (https://sentry.io/)
Steps to Reproduce
- Log into Sentry with Account A (email A) in the browser.
- From a different account, send an organization invitation to email B.
- Open email B's inbox (while still logged in as A in the same browser) and click the "Accept" / "Join" link in the invitation email.
- Observe which account is added to the organization.
Expected Result
The invitation should be bound to email B. Sentry should either:
- Accept the invite as email B, or
- Detect the mismatch between the logged-in account (A) and the invited email (B), and prompt the user to sign out and sign in as B before joining.
In no case should an invite sent to email B be silently consumed by a different account.
Actual Result
The invitation was accepted by Account A. Email A was added to the organization that was only ever invited to email B. There was no warning, no confirmation step, and no indication that the logged-in account did not match the invited email.
This effectively lets the wrong identity end up inside the wrong organization without the user realizing it, which is a significant identity/access issue for an invitation flow.
Product Area
Sign In
Link
No response
DSN
No response
Version
No response
Environment
SaaS (https://sentry.io/)
Steps to Reproduce
Expected Result
The invitation should be bound to email B. Sentry should either:
In no case should an invite sent to email B be silently consumed by a different account.
Actual Result
The invitation was accepted by Account A. Email A was added to the organization that was only ever invited to email B. There was no warning, no confirmation step, and no indication that the logged-in account did not match the invited email.
This effectively lets the wrong identity end up inside the wrong organization without the user realizing it, which is a significant identity/access issue for an invitation flow.
Product Area
Sign In
Link
No response
DSN
No response
Version
No response