What is the CVSS score of CVE-2026-27197?

CVE-2026-27197 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Sentry are affected by CVE-2026-27197?

A critical vulnerability in Sentry (CVSS 9.1) affects organizations using this error tracking platform, potentially enabling attackers to gain unauthorized access or execute malicious code within…. A patch is available.

How to fix or mitigate CVE-2026-27197?

Within 24 hours: inventory all Sentry deployments (self-hosted and SaaS), identify critical instances, and enable enhanced monitoring for suspicious access patterns. Within 7 days: implement network segmentation to restrict Sentry instance access to authorized personnel only, enforce MFA on all Sentry accounts, and review recent access logs for indicators of compromise. Within 30 days: monitor vendor communications for patch availability, plan immediate deployment upon release, and evaluate alternative error tracking solutions if remediation timeline becomes unacceptable.

Sentry CVE-2026-27197

EUVD-2026-7736 CRITICAL

Improper Authentication (CWE-287)

2026-02-21 security-advisories@github.com

GHSA-ggmg-cqg6-j45g

Authentication Bypass Sentry

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch available

Apr 17, 2026 - 22:16 EUVD

Analysis Generated

Mar 12, 2026 - 22:04 vuln.today

CVE Published

Feb 21, 2026 - 05:17 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. Self-hosted users are only at risk if the following criteria is met: ore than one organizations are configured (SENTRY_SINGLE_ORGANIZATION = True), or malicious user has existing access and permissions to modify SSO settings for another organization in a multo-organization instance. This issue has been fixed in version 26.2.0. To workaround this issue, implement user account-based two-factor authentication to prevent an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.

AnalysisAI

SAML authentication bypass in Sentry 21.12.0 through 26.1.0.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Setup malicious SAML Identity Provider

Exploit

Execution

Craft forged SAML assertion

Impact

Attacker assumes victim user identity across organizations

Access

Setup malicious SAML Identity Provider

Exploit

Execution

Craft forged SAML assertion

Impact

Attacker assumes victim user identity across organizations

Vulnerability AssessmentAI

Exploitation	Multi-organization Sentry deployment with SAML SSO enabled (SENTRY_SINGLE_ORGANIZATION setting not True). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 9.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Bypass SAML authentication to access error tracking data.
Remediation	Update Sentry. Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Sentry deployments (self-hosted and SaaS), identify critical instances, and enable enhanced monitoring for suspicious access patterns. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-27197 vulnerability details – vuln.today

Back

Sentry CVE-2026-27197

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code