{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/sentry/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-27197"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["sentry","saml","sso","authentication","account-takeover"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical vulnerability (CVE-2026-27197) has been identified in the SAML Single Sign-On (SSO) implementation within Sentry, a popular error tracking and performance monitoring platform. This vulnerability allows a malicious actor to potentially take over user accounts by leveraging a rogue SAML Identity Provider (IdP) in conjunction with another organization configured within the same Sentry instance. The attacker needs to know the victim\u0026rsquo;s email address for successful exploitation. This flaw primarily impacts self-hosted Sentry deployments with multiple organizations enabled (SENTRY_SINGLE_ORGANIZATION = False) and where a malicious user possesses the ability to modify SSO settings for another organization. Sentry SaaS was patched on February 18, 2026. Self-hosted users should upgrade to version 26.2.0 or later to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a Sentry instance that hosts multiple organizations. This could be through compromised credentials or other initial access vectors.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user\u0026rsquo;s email address within the Sentry instance.\u003c/li\u003e\n\u003cli\u003eThe attacker gains permissions to modify SSO settings for an organization within the Sentry instance.\u003c/li\u003e\n\u003cli\u003eThe attacker configures a malicious SAML Identity Provider (IdP) for the organization they control. This IdP is designed to spoof user identities.\u003c/li\u003e\n\u003cli\u003eThe victim attempts to log in to Sentry via SAML SSO.\u003c/li\u003e\n\u003cli\u003eSentry redirects the victim to the attacker\u0026rsquo;s malicious SAML IdP for authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s malicious SAML IdP asserts the victim\u0026rsquo;s identity (using the known email address) to Sentry, but the assertion is illegitimate and controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eSentry, due to the vulnerability, improperly validates the SAML assertion, allowing the attacker to successfully authenticate as the victim and gain unauthorized access to their account.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to completely take over a targeted user\u0026rsquo;s Sentry account. This grants the attacker the ability to access sensitive project data, modify configurations, invite/remove team members, and potentially disrupt the entire Sentry instance\u0026rsquo;s operations. The vulnerability affects Sentry versions 21.12.0 up to, but not including, 26.2.0. The number of potential victims depends on the number of vulnerable Sentry instances with multiple organizations configured and the attacker\u0026rsquo;s ability to modify SSO settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade self-hosted Sentry instances to version 26.2.0 or later to patch CVE-2026-27197.\u003c/li\u003e\n\u003cli\u003eEnable two-factor authentication (2FA) on all Sentry accounts. Users can manage this in Account Settings \u0026gt; Security, as mentioned in the \u003ca href=\"https://sentry.zendesk.com/hc/en-us/articles/46773315774235-How-do-I-enable-two-factor-authentication-2FA-on-my-Sentry-account\"\u003ehelpdesk article\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Sentry logs for unusual SSO configuration changes, specifically modifications to SAML Identity Provider settings. Deploy a rule that detects modifications to the \u003ccode\u003eSENTRY_SINGLE_ORGANIZATION\u003c/code\u003e setting, as this is a prerequisite for exploitation.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious SAML Authentication\u003c/code\u003e to identify potential unauthorized SAML authentication attempts based on unusual IP addresses or user agents.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T12:00:00Z","date_published":"2026-04-18T12:00:00Z","id":"/briefs/2026-04-sentry-saml-sso-takeover/","summary":"A critical vulnerability in Sentry's SAML SSO implementation allows account takeover by exploiting improper authentication when multiple organizations are configured, affecting versions 21.12.0 to 26.2.0 and requiring a malicious SAML Identity Provider and knowledge of the victim's email address.","title":"Sentry SAML SSO Improper Authentication Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-sentry-saml-sso-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Sentry","version":"https://jsonfeed.org/version/1.1"}