Sentry SAML SSO hijacks accounts (CVE-2026-27197)

Patch now - CVE-2026-27197 is a critical account takeover in self-hosted Sentry 21.12.0 through 26.1.0 that lets an attacker controlling a malicious SAML IdP impersonate users from any organization on the same instance. Upgrade to version 26.2.0 or later to fix this flaw.

Overview

A critical security vulnerability exists in the SAML Single Sign-On (SSO) implementation of self-hosted Sentry, an error tracking and performance monitoring platform. This flaw could allow an attacker to completely take over any user account on the system.

Vulnerability Details

In affected versions (21.12.0 through 26.1.0), a flaw in the SAML authentication process could be exploited by an attacker who controls a malicious SAML Identity Provider (IdP). By linking this malicious IdP to one organization on the Sentry instance, the attacker could then impersonate any user from any other organization on that same instance during the login process.

Important Scope: Your self-hosted Sentry instance is only vulnerable if it is configured with multiple organizations (i.e., SENTRY_SINGLE_ORGANIZATION = False). An attacker would also need existing access and permissions to configure SSO settings for at least one organization to initiate this attack.

Potential Impact

The impact of this vulnerability is severe (CVSS Score: 9.1 - CRITICAL). A successful attack results in the full compromise of a victim’s user account. The attacker gains all the permissions and access rights associated with that account, which could include:

• Viewing sensitive application error and performance data.
• Modifying project settings or configurations.
• Potentially accessing integrated systems or secrets, depending on the user’s role.

Remediation and Mitigation

Immediate action is required to secure affected systems.

Primary Fix: The definitive solution is to upgrade your self-hosted Sentry installation to version 26.2.0 or later. This version contains the patch that resolves the vulnerability.

Immediate Workaround: If you cannot upgrade immediately, enforce user account-based Two-Factor Authentication (2FA). This adds a critical second layer of security that prevents an attacker from completing a login even if they compromise the primary SAML authentication step.

• Crucial Note: Organization administrators cannot enable 2FA for their users. Each individual user must log in and enable 2FA for their own account. IT and security teams should communicate this requirement urgently to all users.

Summary

Organizations running multi-tenant, self-hosted Sentry instances must prioritize patching this critical account takeover vulnerability. Upgrade to Sentry 26.2.0+ as soon as possible. As a temporary but essential protective measure, mandate that all users enable 2FA on their accounts to significantly reduce the risk of exploitation.