CVE-2026-27197
Critical SAML SSO Vulnerability in Sentry Enables Account Takeover
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sentry | sentry | From 21.12.0 (inc) to 26.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, you should upgrade your Sentry instance to version 26.2.0 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, implement user account-based two-factor authentication (2FA) to prevent attackers from completing authentication with a victim's account."}, {'type': 'paragraph', 'content': 'Note that 2FA must be enabled individually by users, as organization administrators cannot enforce it on their behalf.'}, {'type': 'paragraph', 'content': 'For self-hosted users, if only a single organization is configured (SENTRY_SINGLE_ORGANIZATION=True), no action is required.'}] [1]
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-27197 is a critical vulnerability in the SAML Single Sign-On (SSO) implementation of Sentry, affecting versions 21.12.0 through 26.1.0. It allows an attacker to take over any user account by exploiting improper authentication during the SAML SSO process.'}, {'type': 'paragraph', 'content': "The attacker uses a malicious SAML Identity Provider (IdP) combined with another organization on the same Sentry instance to improperly link user identities. Exploitation requires the attacker to know the victim's email address."}, {'type': 'paragraph', 'content': 'For self-hosted Sentry instances, the vulnerability is exploitable only if multiple organizations are configured and a malicious user has permissions to modify SSO settings for another organization within the multi-organization environment.'}, {'type': 'paragraph', 'content': 'This issue was fixed in version 26.2.0. As a mitigation, enabling user account-based two-factor authentication (2FA) can prevent attackers from completing authentication with a victimβs account, but 2FA must be enabled individually by users.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can allow an attacker to take over any user account on a vulnerable Sentry instance without needing any privileges or user interaction.'}, {'type': 'paragraph', 'content': "Successful exploitation results in full access to the victim's data and the ability to modify it, potentially compromising confidentiality and integrity of information."}, {'type': 'paragraph', 'content': 'For self-hosted users, the risk exists only if multiple organizations are configured and the attacker has permissions to modify SSO settings for another organization.'}, {'type': 'paragraph', 'content': 'The vulnerability has a critical CVSS score of 9.1, indicating a high severity impact with network-based remote exploitation and no required privileges or user interaction.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know