{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/sentry/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["sentry","Sentry SaaS"],"_cs_severities":["medium"],"_cs_tags":["authentication","saml","sso","account takeover","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Sentry"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-42354, has been identified in the SAML Single Sign-On (SSO) implementation of Sentry, potentially allowing an attacker to compromise user accounts. This vulnerability stems from improper authentication during the SAML SSO process, leading to the possibility of user identity linking. The vulnerability affects Sentry versions 21.12.0 up to and including 26.4.0. To exploit this vulnerability, an attacker requires a malicious SAML Identity Provider and access to another organization within the same Sentry instance, coupled with knowledge of the victim\u0026rsquo;s email address. This attack vector poses a significant risk to self-hosted Sentry instances that are configured with multiple organizations (SENTRY_SINGLE_ORGANIZATION = False), where a malicious user possesses the necessary permissions to modify SSO settings for a different organization. Sentry SaaS has already been patched in April.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains access to a Sentry instance that has multiple organizations configured.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains permissions to modify the SAML SSO settings of at least one organization within the Sentry instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious SAML Identity Provider (IdP) designed to inject or manipulate user identity attributes.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the malicious SAML IdP to initiate a single sign-on (SSO) process to a Sentry organization they control.\u003c/li\u003e\n\u003cli\u003eThe attacker provides the email address of the targeted victim, linking the victim\u0026rsquo;s identity in the Sentry instance to the malicious SAML IdP.\u003c/li\u003e\n\u003cli\u003eThe victim attempts to log in to their Sentry account through SAML SSO.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, Sentry incorrectly authenticates the victim based on the attributes provided by the attacker\u0026rsquo;s malicious SAML IdP.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully takes over the victim\u0026rsquo;s account, gaining access to sensitive data and functionalities associated with the victim\u0026rsquo;s privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete account takeover, resulting in unauthorized access to sensitive project data, configuration settings, and potentially even administrative privileges within the Sentry instance. This poses a substantial risk to organizations using vulnerable Sentry versions, as attackers could exfiltrate sensitive information, modify configurations, or disrupt services. The impact is particularly severe for self-hosted Sentry instances with multiple organizations, where a single compromised account could lead to broader access across the entire platform.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade self-hosted Sentry instances to version 26.4.1 or higher to patch CVE-2026-42354.\u003c/li\u003e\n\u003cli\u003eEnable user account-based two-factor authentication (2FA) for all Sentry accounts as a preventative measure, as mentioned in the Workarounds section.\u003c/li\u003e\n\u003cli\u003eMonitor Sentry audit logs for any unauthorized changes to SAML SSO configurations, particularly within multi-organization setups, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions for modifying SSO settings across all organizations to minimize the attack surface, as described in the Overview.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T20:45:20Z","date_published":"2026-04-30T20:45:20Z","id":"/briefs/2026-05-sentry-saml-takeover/","summary":"A critical vulnerability (CVE-2026-42354) exists in Sentry's SAML SSO implementation that allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same Sentry instance, affecting self-hosted users with multiple organizations configured if a malicious user has permissions to modify SSO settings, while Sentry SaaS was patched in April and self-hosted users are advised to upgrade to version 26.4.1 or higher.","title":"Sentry SAML SSO Improper Authentication Allows User Identity Linking","url":"https://feed.craftedsignal.io/briefs/2026-05-sentry-saml-takeover/"}],"language":"en","title":"CraftedSignal Threat Feed — Sentry","version":"https://jsonfeed.org/version/1.1"}