Skip to main content

Sentry CVE-2026-52794

| EUVDEUVD-2026-39103 HIGH
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-06-24 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-reachable ingestion with low-complexity crafted input and no real auth barrier (public DSNs) gives AV:N/AC:L/PR:N; ReDoS yields availability-only impact (A:H, C/I:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 23:03 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 22:21 vuln.today
Analysis Generated
Jun 24, 2026 - 22:21 vuln.today

DescriptionCVE.org

Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Sentry's event ingestion pipeline, where a regex applied to attacker-controlled fields on incoming events can be made to consume disproportionate CPU time. This vulnerability is fixed in 26.5.2.

AnalysisAI

Denial of service in Sentry's self-hosted/SaaS event ingestion pipeline (versions 24.4.0 through 26.5.1) lets remote actors who can submit events stall worker CPU via a Regular Expression Denial of Service (ReDoS). A loosely-written hostname-detection regex in the grouping parameterization stage (parameterization.py) backtracks catastrophically on crafted attacker-controlled event fields, exhausting CPU and degrading or halting event processing. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid project DSN
Delivery
Craft event with backtracking hostname-like string
Exploit
Submit event to ingestion endpoint
Execution
Regex backtracks in grouping parameterization
Impact
Worker CPU exhausted, event processing stalls

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to submit events into Sentry's ingestion pipeline (typically possession of a valid project DSN, which is often publicly exposed in client-side code) and that the deployment runs an affected version 24.4.0-26.5.1 where the vulnerable hostname-parameterization regex executes during grouping. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, 7.5 High) is internally consistent with a network-reachable, low-complexity, availability-only ReDoS, and aligns with the description and the diff. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows or harvests a project's Sentry DSN sends a crafted error event whose message or module-like field contains a long run of dot-separated alphanumeric segments engineered to nearly match the hostname pattern but fail at the TLD check. When the grouping pipeline applies the vulnerable regex, it backtracks heavily and pins a worker's CPU; repeating this across many events stalls event processing for the project or shared workers. …
Remediation Vendor-released patch: upgrade to Sentry 26.5.2 or later, which rewrites the hostname regex with bounded repetition and shifts TLD/length validation into the is_valid_hostname callback (see PR https://github.com/getsentry/sentry/pull/116587 and advisory https://github.com/getsentry/sentry/security/advisories/GHSA-jjqr-wqg2-p856). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Verify your Sentry deployment version (check Administration → System Information or deployment logs and confirm if running 24.4.0-26.5.1). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Sentry

View all
CVE-2026-10520 CRITICAL POC
10.0 Jun 09

Remote code execution in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows unauthenticated remote attackers to a

CVE-2026-10523 CRITICAL POC
9.8 Jun 09

Authentication bypass in Ivanti Sentry before R10.5.2, R10.6.2, and R10.7.1 allows remote unauthenticated attackers to c

CVE-2020-15505 CRITICAL POC
9.8 Jul 07

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2021-47935 HIGH POC
8.7 May 10

Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary co

CVE-2023-39349 HIGH POC
8.1 Aug 07

Sentry is an error tracking and performance monitoring platform. Rated high severity (CVSS 8.1), this vulnerability is r

CVE-2020-8887 HIGH POC
7.5 Sep 22

Telestream Tektronix Medius before 10.7.5 and Sentry before 10.7.5 have a SQL injection vulnerability allowing an unauth

CVE-2024-48743 MEDIUM POC
6.5 Oct 25

Cross Site Scripting vulnerability in Sentry v.6.0.9 allows a remote attacker to execute arbitrary code via the z parame

CVE-2020-15506 CRITICAL
9.8 Jul 07

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2024-10276 MEDIUM POC
5.3 Oct 23

A vulnerability has been found in Telestream Sentry 6.0.9 and classified as problematic. Rated medium severity (CVSS 5.3

CVE-2026-27197 CRITICAL
9.1 Feb 21

SAML authentication bypass in Sentry 21.12.0 through 26.1.0.

CVE-2016-0760 HIGH
8.8 Aug 19

Multiple incomplete blacklist vulnerabilities in Apache Sentry before 1.7.0 allow remote authenticated users to execute

CVE-2018-8028 HIGH
8.8 Aug 23

An authenticated user can execute ALTER TABLE EXCHANGE PARTITIONS without being authorized by Apache Sentry before 2.0.1

Share

CVE-2026-52794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy