CVE-2026-27197
Published: 21 February 2026
Summary
CVE-2026-27197 is a critical-severity Improper Authentication (CWE-287) vulnerability in Sentry Sentry. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, testing, and installation of software flaw fixes, directly remediating the SAML SSO vulnerability in Sentry versions 21.12.0 through 26.1.0.
Establishes requirements for secure selection, configuration, and monitoring of identity providers and authorization servers, preventing exploitation via malicious SAML IdPs.
Mandates management of authenticators including multi-factor authentication, serving as the recommended workaround to block account takeover even if SAML authentication succeeds.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of public-facing Sentry SAML SP (T1190) via malicious IdP-crafted assertions, directly facilitating forged SAML token abuse (T1606.002) to obtain valid user accounts (T1078) for full account takeover.
NVD Description
Sentry is a developer-first error tracking and performance monitoring tool. Versions 21.12.0 through 26.1.0 have a critical vulnerability in its SAML SSO implementation which allows an attacker to take over any user account by using a malicious SAML Identity Provider…
more
and another organization on the same Sentry instance. Self-hosted users are only at risk if the following criteria is met: ore than one organizations are configured (SENTRY_SINGLE_ORGANIZATION = True), or malicious user has existing access and permissions to modify SSO settings for another organization in a multo-organization instance. This issue has been fixed in version 26.2.0. To workaround this issue, implement user account-based two-factor authentication to prevent an attacker from being able to complete authentication with a victim's user account. Organization administrators cannot do this on a user's behalf, this requires individual users to ensure 2FA has been enabled for their account.
Deeper analysisAI
CVE-2026-27197 is a critical vulnerability in the SAML SSO implementation of Sentry, a developer-first error tracking and performance monitoring tool. It affects versions 21.12.0 through 26.1.0 and enables an attacker to take over any user account by leveraging a malicious SAML Identity Provider alongside another organization on the same Sentry instance. Self-hosted deployments are at risk only if more than one organization is configured or if a malicious user has existing access and permissions to modify SSO settings for another organization in a multi-organization instance. The vulnerability is rated 9.1 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-287 (Improper Authentication).
An unauthenticated attacker over the network can exploit this issue with low complexity by controlling a malicious SAML Identity Provider and utilizing another organization on the shared Sentry instance. Successful exploitation allows full account takeover of any targeted user, granting the attacker their permissions and access within the instance.
The issue has been fixed in Sentry version 26.2.0. As a workaround, implement user account-based two-factor authentication, which users must enable individually since organization administrators cannot do so on their behalf. Additional details are available in the GitHub Security Advisory at https://github.com/getsentry/sentry/security/advisories/GHSA-ggmg-cqg6-j45g.
Details
- CWE(s)