Skip to main content

Sentry CVE-2026-42354

CRITICAL
Authentication Bypass by Spoofing (CWE-290)
2026-04-30 https://github.com/getsentry/sentry GHSA-rcmw-7mc7-3rj7
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Source Code Evidence Fetched
Apr 30, 2026 - 21:00 vuln.today
Analysis Generated
Apr 30, 2026 - 21:00 vuln.today
Analysis Generated
Apr 30, 2026 - 20:45 vuln.today
Patch released
Apr 30, 2026 - 20:45 nvd
Patch available
CVE Published
Apr 30, 2026 - 20:44 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Impact

A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via Sentry's private bug bounty program.

The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. The victim email address must be known in order to exploit this vulnerability.

Self-hosted users are only vulnerable if the following conditions are met:

  • They have more than one organization configured (SENTRY_SINGLE_ORGANIZATION = False).
  • A malicious user has existing access and permissions to modify SSO settings for another organization in their multi-organization instance.

Patches

  • Sentry SaaS: The fix was deployed in April. No action is required.
  • Self-Hosted Sentry: If only a single organization is allowed (SENTRY_SINGLE_ORGANIZATION = True), then no action is needed. Sentry recommends upgrading to version 26.4.1 or higher.

Workarounds

User account-based two-factor authentication prevents an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.

Users can manage their two-factor authentication settings through Account Settings > Security page. For step-by-step details, please see the Sentry helpdesk article.

Resources

  • https://github.com/getsentry/sentry/pull/113720

Please note that this is distinct vulnerability from the similar https://github.com/getsentry/sentry/security/advisories/GHSA-7pq6-v88g-wf3w from 2025.

AnalysisAI

Account takeover via SAML SSO authentication bypass in Sentry allows attackers to hijack arbitrary user accounts when controlling a malicious SAML Identity Provider within multi-organization instances. Attackers with permissions to configure SSO settings in one organization can link a victim's email address to their malicious IdP, then authenticate as that victim across the instance. The vulnerability was responsibly disclosed via bug bounty, patched in version 26.4.1 (deployed to SaaS in April 2026), and requires knowledge of the victim's email address plus multi-organization deployment (SENTRY_SINGLE_ORGANIZATION = False). No public exploit identified at time of analysis, though technical details and patch code are public via GitHub advisory GHSA-rcmw-7mc7-3rj7.

Technical ContextAI

This vulnerability exploits CWE-290 (Authentication Bypass by Spoofing) in Sentry's SAML SSO implementation. The flaw resides in the setup pipeline authentication handler (src/sentry/auth/helper.py), where the system trusted email addresses asserted by the SAML Identity Provider without validating that the IdP should have authority over that email domain or user. During SSO provider setup, the code called handle_attach_identity using the IdP-supplied identity email directly, allowing an attacker controlling a malicious IdP in Organization A to assert the email of a victim user in Organization B. The vulnerable code path resolved the email to the victim's existing user account and created an AuthIdentity link, effectively granting the attacker access to that account. The patch overrides the identity email with the authenticated admin's email during setup flow, ensuring identity linking always targets the user performing configuration rather than whoever the IdP claims. The vulnerability affects pip package sentry versions 21.12.0 through 26.4.0, fixed in 26.4.1 per commit 0c67558ae7fe08738912d4c5233b53ead048da3b.

RemediationAI

Self-hosted Sentry operators running multi-organization instances should upgrade to version 26.4.1 or higher immediately, available at https://github.com/getsentry/sentry/releases/tag/26.4.1. The fix is implemented in commit 0c67558ae7fe08738912d4c5233b53ead048da3b which modifies the SAML setup pipeline to override IdP-asserted email with the authenticated admin's email during identity linking. Sentry SaaS customers require no action as the patch was deployed in April 2026. For deployments unable to upgrade immediately, enforce user-level two-factor authentication across all accounts via Account Settings > Security (https://sentry.io/settings/account/security/), following steps at https://sentry.zendesk.com/hc/en-us/articles/46773315774235. Note that 2FA must be enabled by individual users and cannot be enforced by organization administrators on their behalf, limiting this workaround's effectiveness without user cooperation. Alternatively, reconfigure to single-organization mode (SENTRY_SINGLE_ORGANIZATION = True) if operationally feasible, which eliminates the vulnerability entirely but restricts deployment to one organization per instance. Organizations should audit existing SAML SSO configurations and AuthIdentity records for unexpected linkages created between April and the upgrade date.

Share

CVE-2026-42354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy