CVE-2026-42354
SAML Account Takeover in Sentry
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sentry | sentry | From 21.12.0 (inc) to 26.4.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the SAML Single Sign-On (SSO) implementation of Sentry, an error tracking and performance monitoring tool. It affects versions from 21.12.0 up to but not including 26.4.1.
An attacker can exploit this vulnerability by using a malicious SAML Identity Provider along with another organization on the same Sentry instance. The attacker must know the victim's email address to take over their user account.
This vulnerability allows the attacker to fully compromise user accounts without requiring any user interaction.
How can this vulnerability impact me? :
The vulnerability can lead to a complete takeover of user accounts within the affected Sentry instance.
Since the attacker can impersonate any user by knowing their email address, this can result in unauthorized access to sensitive error tracking and performance monitoring data.
The compromise can lead to data breaches, loss of confidentiality, and potential misuse of the affected accounts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Sentry to version 26.4.1 or later, where the issue has been patched.