CVE-2026-42354
Received Received - Intake
SAML Account Takeover in Sentry

Publication date: 2026-05-08

Last updated on: 2026-05-18

Assigner: GitHub, Inc.

Description
Sentry is an error tracking and performance monitoring tool. From version 21.12.0 to before version 26.4.1, a critical vulnerability was discovered in the SAML SSO implementation of Sentry. The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability. This issue has been patched in version 26.4.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-18
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42354
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
sentry sentry From 21.12.0 (inc) to 26.4.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the SAML Single Sign-On (SSO) implementation of Sentry, an error tracking and performance monitoring tool. It affects versions from 21.12.0 up to but not including 26.4.1.

An attacker can exploit this vulnerability by using a malicious SAML Identity Provider along with another organization on the same Sentry instance. The attacker must know the victim's email address to take over their user account.

This vulnerability allows the attacker to fully compromise user accounts without requiring any user interaction.

Impact Analysis

The vulnerability can lead to a complete takeover of user accounts within the affected Sentry instance.

Since the attacker can impersonate any user by knowing their email address, this can result in unauthorized access to sensitive error tracking and performance monitoring data.

The compromise can lead to data breaches, loss of confidentiality, and potential misuse of the affected accounts.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Sentry to version 26.4.1 or later, where the issue has been patched.

Compliance Impact

This vulnerability allows an attacker to take over any user account by exploiting the SAML SSO implementation in Sentry, potentially leading to unauthorized access to sensitive user data.

Such unauthorized access could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over user data confidentiality and access.

However, the provided information does not explicitly describe the impact on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42354. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart