CVE-2026-27197
CVE-2026-27197 is a critical-severity vulnerability in Sentry with a CVSS 3.x base score of 9.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-287.
Key facts
- Severity: Critical (CVSS 3.x base score 9.1)
- EPSS exploit prediction: 0% (35th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-7736
- Weakness: CWE-287
- Affected product: Sentry
- Published:
- Last modified:
Description
Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. Self-hosted users are only at risk if the following criteria is met: ore than one organizations are configured (SENTRY_SINGLE_ORGANIZATION = True), or malicious user has existing access and permissions to modify SSO settings for another organization in a multo-organization instance. This issue has been fixed in version 26.2.0. To workaround this issue, implement user account-based two-factor authentication to prevent an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.
Frequently asked questions
- What is CVE-2026-27197?
- Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. Self-hosted users are only at risk if the following criteria is met: ore than one organizations are configured (SENTRY_SINGLE_ORGANIZATION = True), or malicious user has existing access and permissions to modify SSO settings for another organization in a multo-organization instance. This issue has been fixed in version 26.2.0. To workaround this issue, implement user account-based two-factor authentication to prevent an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.
- How severe is CVE-2026-27197?
- CVE-2026-27197 has a CVSS 3.x base score of 9.1, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2026-27197 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (35th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-27197?
- CVE-2026-27197 affects Sentry. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-27197?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2026-27197 have an EU (EUVD) identifier?
- Yes. CVE-2026-27197 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-7736.
- When was CVE-2026-27197 published?
- CVE-2026-27197 was published on 2026-02-21 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:sentry:sentry:*:*:*:*:*:*:*:*
More vulnerabilities in Sentry
- CVE-2026-42354 — Critical (CVSS 9.1): Sentry is an error tracking and performance monitoring tool. From version 21.12.0 to before version 26.4.1, a critical…
- CVE-2021-47935 — High (CVSS 8.8): Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary…
- CVE-2023-39349 — High (CVSS 8.1): Sentry is an error tracking and performance monitoring platform. Starting in version 22.1.0 and prior to version…
- CVE-2023-36826 — High (CVSS 7.7): Sentry is an error tracking and performance monitoring platform. Starting in version 8.21.0 and prior to version…
- CVE-2026-52794 — High (CVSS 7.5): Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of…
- CVE-2025-53099 — High (CVSS 7.5): Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a…
Other CWE-287 (Improper Authentication) vulnerabilities
- CVE-2026-45480 — Critical (CVSS 10.0): Improper authentication in Azure Active Directory allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-46389 — Critical (CVSS 10.0): UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS…
- CVE-2026-10611 — Critical (CVSS 10.0): An authentication bypass vulnerability exists in MISP when LDAP mixed authentication is enabled with OTP enforcement.…
- CVE-2026-47280 — Critical (CVSS 10.0): Improper authentication in Azure Resource Manager (ARM) allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-42822 — Critical (CVSS 10.0): Improper authentication in Azure Local Disconnected Operations allows an unauthorized attacker to elevate privileges…
- CVE-2026-20182 — Critical (CVSS 10.0): May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and…
Browse all CWE-287 (Improper Authentication) vulnerabilities →