Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-26004 is a cross-organization Insecure Direct Object Reference (IDOR) vulnerability in Sentry's GroupEventJsonView endpoint. The issue arises because the endpoint's get method calls a function to retrieve group event data without passing the organization context, which causes organization-level permission checks to be bypassed. As a result, an authenticated user with event read permissions in their own organization can manipulate the group_id parameter to access sensitive event data belonging to other organizations."}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the authorization model only checks permissions against the active organization context, not the actual organization owning the resource. This allows unauthorized access to event data across organizational boundaries.'}] [1, 2, 3]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized access to sensitive event data from other organizations within the Sentry platform. An attacker who is authenticated in their own organization and has event read permissions can exploit this flaw to view event details from victim organizations by guessing or knowing the group_id of those events.'}, {'type': 'paragraph', 'content': "Such unauthorized access can expose confidential information about errors and performance issues in other organizations' applications, potentially leading to information leakage, privacy violations, and increased risk of further attacks."}] [1, 2, 3]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to access event data from another organization using an authenticated user with event:read permission in their own organization. Specifically, by manipulating the group_id parameter in the URL to reference a group from a different organization, unauthorized access can be tested.'}, {'type': 'paragraph', 'content': 'A practical detection method involves using a curl command to request event data from the GroupEventJsonView endpoint with a guessed group_id from another organization while authenticated as a user from your own organization.'}, {'type': 'paragraph', 'content': 'Example curl command to test unauthorized access (replace placeholders accordingly):'}, {'type': 'list_item', 'content': 'curl -H "Cookie: session=<attacker_session_token>" https://<sentry-host>/organizations/<attacker_org_slug>/issues/<victim_group_id>/events/latest/json/'}, {'type': 'paragraph', 'content': 'If the response returns event data instead of an error (e.g., 404), it indicates the vulnerability is present.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Sentry to version 26.1.0 or later, where this vulnerability has been patched.

The patch enforces organization-level permission checks by passing the organization context to the get_group_with_redirect method in the GroupEventJsonView endpoint, preventing unauthorized cross-organization access.

Until the upgrade can be applied, restrict access to the GroupEventJsonView endpoint to trusted users only and monitor for suspicious access patterns involving group_id parameter manipulation.

Useful 0 Not Useful 0