Vulnerability Details CVE-2026-27197
Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance. Self-hosted users are only at risk if the following criteria is met: ore than one organizations are configured (SENTRY_SINGLE_ORGANIZATION = True), or malicious user has existing access and permissions to modify SSO settings for another organization in a multo-organization instance. This issue has been fixed in version 26.2.0. To workaround this issue, implement user account-based two-factor authentication to prevent an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.7%
CVSS Severity
CVSS v3 Score 9.1
Products affected by CVE-2026-27197
-
cpe:2.3:a:sentry:sentry:21.12.0
-
cpe:2.3:a:sentry:sentry:22.1.0
-
cpe:2.3:a:sentry:sentry:22.10.0
-
cpe:2.3:a:sentry:sentry:22.11.0
-
cpe:2.3:a:sentry:sentry:22.12.0
-
cpe:2.3:a:sentry:sentry:22.2.0
-
cpe:2.3:a:sentry:sentry:22.3.0
-
cpe:2.3:a:sentry:sentry:22.4.0
-
cpe:2.3:a:sentry:sentry:22.5.0
-
cpe:2.3:a:sentry:sentry:22.6.0
-
cpe:2.3:a:sentry:sentry:22.7.0
-
cpe:2.3:a:sentry:sentry:22.8.0
-
cpe:2.3:a:sentry:sentry:22.9.0
-
cpe:2.3:a:sentry:sentry:23.1.0
-
cpe:2.3:a:sentry:sentry:23.1.1
-
cpe:2.3:a:sentry:sentry:23.10.0
-
cpe:2.3:a:sentry:sentry:23.10.1
-
cpe:2.3:a:sentry:sentry:23.11.0
-
cpe:2.3:a:sentry:sentry:23.11.1
-
cpe:2.3:a:sentry:sentry:23.11.2
-
cpe:2.3:a:sentry:sentry:23.12.0
-
cpe:2.3:a:sentry:sentry:23.12.1
-
cpe:2.3:a:sentry:sentry:23.2.0
-
cpe:2.3:a:sentry:sentry:23.3.0
-
cpe:2.3:a:sentry:sentry:23.3.1
-
cpe:2.3:a:sentry:sentry:23.4.0
-
cpe:2.3:a:sentry:sentry:23.5.0
-
cpe:2.3:a:sentry:sentry:23.5.1
-
cpe:2.3:a:sentry:sentry:23.5.2
-
cpe:2.3:a:sentry:sentry:23.6.0
-
cpe:2.3:a:sentry:sentry:23.6.1
-
cpe:2.3:a:sentry:sentry:23.6.2
-
cpe:2.3:a:sentry:sentry:23.7.0
-
cpe:2.3:a:sentry:sentry:23.7.1
-
cpe:2.3:a:sentry:sentry:23.7.2
-
cpe:2.3:a:sentry:sentry:23.8.0
-
cpe:2.3:a:sentry:sentry:23.9.0
-
cpe:2.3:a:sentry:sentry:23.9.1
-
cpe:2.3:a:sentry:sentry:24.1.0
-
cpe:2.3:a:sentry:sentry:24.1.1
-
cpe:2.3:a:sentry:sentry:24.1.2
-
cpe:2.3:a:sentry:sentry:24.10.0
-
cpe:2.3:a:sentry:sentry:24.11.0
-
cpe:2.3:a:sentry:sentry:24.11.1
-
cpe:2.3:a:sentry:sentry:24.11.2
-
cpe:2.3:a:sentry:sentry:24.12.0
-
cpe:2.3:a:sentry:sentry:24.12.1
-
cpe:2.3:a:sentry:sentry:24.12.2
-
cpe:2.3:a:sentry:sentry:24.2.0
-
cpe:2.3:a:sentry:sentry:24.3.0
-
cpe:2.3:a:sentry:sentry:24.4.0
-
cpe:2.3:a:sentry:sentry:24.4.1
-
cpe:2.3:a:sentry:sentry:24.4.2
-
cpe:2.3:a:sentry:sentry:24.5.0
-
cpe:2.3:a:sentry:sentry:24.5.1
-
cpe:2.3:a:sentry:sentry:24.6.0
-
cpe:2.3:a:sentry:sentry:24.7.0
-
cpe:2.3:a:sentry:sentry:24.7.1
-
cpe:2.3:a:sentry:sentry:24.8.0
-
cpe:2.3:a:sentry:sentry:24.9.0
-
cpe:2.3:a:sentry:sentry:25.1.0
-
cpe:2.3:a:sentry:sentry:25.10.0
-
cpe:2.3:a:sentry:sentry:25.11.0
-
cpe:2.3:a:sentry:sentry:25.11.1
-
cpe:2.3:a:sentry:sentry:25.12.0
-
cpe:2.3:a:sentry:sentry:25.12.1
-
cpe:2.3:a:sentry:sentry:25.2.0
-
cpe:2.3:a:sentry:sentry:25.3.0
-
cpe:2.3:a:sentry:sentry:25.4.0
-
cpe:2.3:a:sentry:sentry:25.5.0
-
cpe:2.3:a:sentry:sentry:25.5.1
-
cpe:2.3:a:sentry:sentry:25.6.0
-
cpe:2.3:a:sentry:sentry:25.6.1
-
cpe:2.3:a:sentry:sentry:25.6.2
-
cpe:2.3:a:sentry:sentry:25.7.0
-
cpe:2.3:a:sentry:sentry:25.8.0
-
cpe:2.3:a:sentry:sentry:25.9.0
-
cpe:2.3:a:sentry:sentry:26.1.0