Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Network-reachable ingestion with low-complexity crafted input and no real auth barrier (public DSNs) gives AV:N/AC:L/PR:N; ReDoS yields availability-only impact (A:H, C/I:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Sentry's event ingestion pipeline, where a regex applied to attacker-controlled fields on incoming events can be made to consume disproportionate CPU time. This vulnerability is fixed in 26.5.2.
AnalysisAI
Denial of service in Sentry's self-hosted/SaaS event ingestion pipeline (versions 24.4.0 through 26.5.1) lets remote actors who can submit events stall worker CPU via a Regular Expression Denial of Service (ReDoS). A loosely-written hostname-detection regex in the grouping parameterization stage (parameterization.py) backtracks catastrophically on crafted attacker-controlled event fields, exhausting CPU and degrading or halting event processing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the ability to submit events into Sentry's ingestion pipeline (typically possession of a valid project DSN, which is often publicly exposed in client-side code) and that the deployment runs an affected version 24.4.0-26.5.1 where the vulnerable hostname-parameterization regex executes during grouping. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5 High) is internally consistent with a network-reachable, low-complexity, availability-only ReDoS, and aligns with the description and the diff. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who knows or harvests a project's Sentry DSN sends a crafted error event whose message or module-like field contains a long run of dot-separated alphanumeric segments engineered to nearly match the hostname pattern but fail at the TLD check. When the grouping pipeline applies the vulnerable regex, it backtracks heavily and pins a worker's CPU; repeating this across many events stalls event processing for the project or shared workers. … |
| Remediation | Vendor-released patch: upgrade to Sentry 26.5.2 or later, which rewrites the hostname regex with bounded repetition and shifts TLD/length validation into the is_valid_hostname callback (see PR https://github.com/getsentry/sentry/pull/116587 and advisory https://github.com/getsentry/sentry/security/advisories/GHSA-jjqr-wqg2-p856). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Verify your Sentry deployment version (check Administration → System Information or deployment logs and confirm if running 24.4.0-26.5.1). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a
Authentication bypass in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows remote unauthenticated attackers to c
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary co
Sentry is an error tracking and performance monitoring platform. Rated high severity (CVSS 8.1), this vulnerability is r
Telestream Tektronix Medius before 10.7.5 and Sentry before 10.7.5 have a SQL injection vulnerability allowing an unauth
Cross Site Scripting vulnerability in Sentry v.6.0.9 allows a remote attacker to execute arbitrary code via the z parame
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
A vulnerability has been found in Telestream Sentry 6.0.9 and classified as problematic. Rated medium severity (CVSS 5.3
SAML authentication bypass in Sentry 21.12.0 through 26.1.0.
Multiple incomplete blacklist vulnerabilities in Apache Sentry before 1.7.0 allow remote authenticated users to execute
An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by Apache Sentry before 2.0.1
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39103