CVE-2026-42354 Overview
Sentry, an open-source error tracking and performance monitoring platform, contains an authentication bypass vulnerability in its Security Assertion Markup Language (SAML) Single Sign-On (SSO) implementation. The flaw affects versions from 21.12.0 up to but not including 26.4.1. An attacker who controls a malicious SAML Identity Provider (IdP) and operates another organization on the same Sentry instance can take over arbitrary user accounts. Successful exploitation requires only knowledge of the victim's email address. The maintainers patched the issue in version 26.4.1. The weakness is categorized as [CWE-290] Authentication Bypass by Spoofing.
Critical Impact
An attacker can hijack any account on a shared Sentry instance by asserting the victim's email through a malicious SAML IdP during SSO setup, gaining full access to projects, source maps, and error data.
Affected Products
- Sentry versions 21.12.0 through 26.4.0
- Self-hosted Sentry instances with SAML SSO enabled
- Multi-tenant Sentry deployments sharing an instance across organizations
Discovery Timeline
- 2026-05-08 - CVE-2026-42354 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42354
Vulnerability Analysis
The vulnerability resides in Sentry's SSO setup flow within src/sentry/auth/helper.py. During SAML identity attachment, Sentry trusted the email address asserted by the IdP and passed it to resolve_email_to_user. When an administrator initiated SSO setup for their own organization, the function resolved the IdP-supplied email to whichever existing Sentry user matched, rather than the authenticated admin performing the setup.
An attacker operating a separate organization on the same instance could configure a malicious SAML IdP to assert any victim's email address. The setup handler then linked the attacker-controlled identity to the victim's account, granting the attacker authenticated access on subsequent logins.
Root Cause
The root cause is improper trust in IdP-supplied attributes during the SSO setup flow. The code path used identity directly from the SAML assertion rather than pinning the linked identity to the currently authenticated administrative session. This is a textbook [CWE-290] Authentication Bypass by Spoofing condition.
Attack Vector
Exploitation is performed remotely over the network and requires no privileges on the victim's organization. The attacker must control a Sentry organization on the same instance, configure a malicious SAML IdP, and know the target email address. No user interaction from the victim is required.
organization_id=self.organization.id, provider=self.provider.key, config=config
)
- self.auth_handler(identity).handle_attach_identity(om)
+ # The setup flow should always link the identity to the admin who is
+ # performing setup, so override the email to ensure resolve_email_to_user
+ # returns the authenticated user rather than whoever the IdP asserted.
+ setup_identity = {**identity, "email": request.user.email}
+ self.auth_handler(setup_identity).handle_attach_identity(om)
auth.mark_sso_complete(request, self.organization.id)
Source: GitHub Commit 0c67558. The patch overrides the IdP-asserted email with request.user.email, pinning the linked identity to the authenticated session.
Detection Methods for CVE-2026-42354
Indicators of Compromise
- Unexpected SSO identity link events in Sentry audit logs referencing emails that belong to users outside the configuring organization
- New SAML IdP configurations created by non-administrative or recently-onboarded organizations on a shared instance
- Login events for privileged accounts originating from SAML providers that were not previously associated with that user
Detection Strategies
- Review the Sentry AuditLogEntry table for sso.identity_linked or organization member additions correlated with SAML setup flows from foreign organizations
- Cross-reference IdP entityID values against an approved allow-list and alert on additions from non-sanctioned organizations
- Hunt for authentication sequences where a user's email is asserted by an IdP that does not match the user's home organization
Monitoring Recommendations
- Forward Sentry application logs and audit trails to a centralized analytics platform to retain SSO setup and identity-link events
- Alert on any creation of new AuthProvider records on multi-tenant Sentry instances
- Continuously monitor for privilege changes on accounts immediately following SSO identity link events
How to Mitigate CVE-2026-42354
Immediate Actions Required
- Upgrade all self-hosted Sentry deployments to version 26.4.1 or later without delay
- Audit existing AuthIdentity records and revoke any links created by organizations outside the expected administrative scope
- Force password resets and re-authentication for accounts on shared instances that have SAML identities attached during the affected window
Patch Information
The fix is included in Sentry release 26.4.1. The remediation pins the SSO setup identity to the authenticated administrator's email via setup_identity = {**identity, "email": request.user.email} before invoking handle_attach_identity. See the GitHub Security Advisory GHSA-rcmw-7mc7-3rj7, the Pull Request #113720, and the 26.4.1 Release Notes.
Workarounds
- Restrict the ability to create new organizations on shared Sentry instances to vetted administrators until patching is complete
- Disable SAML SSO provider setup for untrusted organization owners on multi-tenant deployments
- Isolate sensitive organizations onto dedicated Sentry instances rather than sharing tenancy with external parties
# Upgrade self-hosted Sentry to the patched release
cd /path/to/self-hosted
git fetch --tags
git checkout 26.4.1
./install.sh
docker compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
