CVE-2021-47935 Overview
CVE-2021-47935 is a remote code execution vulnerability in Sentry version 8.2.0. The flaw resides in the admin audit log endpoint, which deserializes attacker-controlled pickle data submitted in the data parameter. Authenticated superusers can submit a crafted POST request containing a base64-encoded, compressed pickle payload to achieve code execution with the application's privileges. The issue is classified as [CWE-94] Improper Control of Generation of Code. Sentry is a widely deployed error tracking and application monitoring platform, making this exposure relevant to engineering and observability stacks.
Critical Impact
Authenticated superusers can execute arbitrary operating system commands on the Sentry host through unsafe pickle deserialization in the audit log data field.
Affected Products
- Sentry 8.2.0
- Self-hosted Sentry deployments exposing the admin audit log endpoint
- Installations granting superuser privileges to multiple operators
Discovery Timeline
- 2026-05-10 - CVE-2021-47935 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2021-47935
Vulnerability Analysis
The vulnerability stems from the Sentry admin interface processing serialized objects without validating their type or origin. The audit log entry endpoint accepts a data field that the application decodes from base64, decompresses, and passes to Python's pickle.loads(). Pickle deserialization in Python executes the __reduce__ method of any class encountered in the stream, which attackers can weaponize to invoke arbitrary callables such as os.system or subprocess.Popen. Because the endpoint is reached by an authenticated superuser session, exploitation requires valid administrative credentials but no further user interaction. Successful exploitation results in command execution under the Sentry application service account, granting access to configuration, secrets, and connected data sources.
Root Cause
The root cause is unsafe use of Python's pickle module on attacker-influenced input. Pickle is not a safe parser for untrusted data because it permits arbitrary object construction during deserialization. Sentry's audit log handler trusted the encoded data payload submitted through the admin POST request and reconstructed objects without applying a safe loader, allowlist, or alternative serializer such as JSON.
Attack Vector
An attacker who has obtained Sentry superuser credentials submits a POST request to the admin audit log endpoint. The request body contains the malicious payload in the data field, encoded as base64 over a zlib-compressed pickle stream. When the server processes the audit entry, deserialization triggers the embedded callable and the supplied shell command runs on the host. Refer to the Vulncheck Sentry RCE Advisory and Exploit-DB #50318 for the technical writeup.
No verified exploit code is reproduced here. The referenced advisory describes the payload structure: a Python class implementing __reduce__ that returns a tuple of (os.system, ('command',)), pickled with pickle.dumps, compressed with zlib.compress, and base64-encoded before being placed in the data POST parameter.
Detection Methods for CVE-2021-47935
Indicators of Compromise
- POST requests to Sentry admin audit log endpoints containing large base64-encoded values in the data parameter
- Child processes spawned by the Sentry application worker that are inconsistent with normal operation, such as sh, bash, curl, or wget
- Outbound network connections initiated by Sentry workers to unfamiliar hosts shortly after admin audit log activity
- Unexpected modifications to files writable by the Sentry service account
Detection Strategies
- Inspect web server and application logs for admin audit log POST requests with payload sizes that exceed normal audit entries
- Correlate authenticated superuser sessions with subsequent process execution events on the Sentry host
- Flag any invocation of pickle.loads against externally sourced data through application-level logging or runtime hooks
Monitoring Recommendations
- Forward Sentry application and reverse proxy logs to a centralized analytics platform for retention and correlation
- Enable process execution telemetry on Sentry hosts to surface anomalous child processes of the application runtime
- Alert on new outbound connections from Sentry workers to destinations outside the documented integration list
How to Mitigate CVE-2021-47935
Immediate Actions Required
- Upgrade Sentry from 8.2.0 to a release that eliminates pickle deserialization on the audit log endpoint
- Audit the superuser account list and revoke privileges from accounts that do not require administrative access
- Rotate Sentry API tokens, signing secrets, and database credentials accessible from the application host if compromise is suspected
- Restrict network reachability of the Sentry admin interface to trusted management networks only
Patch Information
Upgrade to a Sentry release later than 8.2.0 that replaces pickle deserialization with a safe serializer. Consult the Vulncheck Sentry RCE Advisory and the Sentry project site for current supported versions and upgrade guidance. Self-hosted operators should review release notes for security fixes affecting the admin audit log handler.
Workarounds
- Place the Sentry admin interface behind a VPN or zero-trust gateway to block unauthenticated network reach
- Enforce multi-factor authentication on all superuser accounts to raise the cost of credential compromise
- Run the Sentry application under a least-privilege service account with restricted file system and outbound network permissions
- Monitor and rate-limit POST requests to admin endpoints at the reverse proxy to surface exploitation attempts
# Example reverse proxy restriction limiting admin access to a management CIDR
location /manage/ {
allow 10.10.0.0/24;
deny all;
proxy_pass http://sentry_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
