PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42354 getsentry CVE debrief

A critical authentication bypass vulnerability exists in Sentry's SAML SSO implementation, affecting versions 21.12.0 through 26.4.0. The flaw allows account takeover via malicious SAML Identity Provider manipulation when targeting known email addresses on shared Sentry instances. The vulnerability stems from improper validation of SAML assertions (CWE-290), enabling attackers to authenticate as arbitrary users across organizational boundaries within the same Sentry deployment. This is particularly severe for multi-tenant Sentry installations where separate organizations share infrastructure. The vendor has released version 26.4.1 containing the security fix. Organizations should prioritize patching, especially those operating Sentry with SAML SSO enabled in multi-tenant configurations.

Vendor
getsentry
Product
sentry
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-08
Original CVE updated
2026-05-18
Advisory published
2026-05-08
Advisory updated
2026-05-18

Who should care

Organizations operating Sentry with SAML SSO enabled, particularly those with multi-tenant deployments or shared infrastructure across business units. Security teams responsible for identity federation and SSO implementations. DevOps and platform engineering teams managing Sentry installations.

Technical summary

The vulnerability exists in Sentry's SAML 2.0 service provider implementation between versions 21.12.0 and 26.4.0. The flaw permits a malicious Identity Provider to forge authentication assertions for arbitrary email addresses, exploiting insufficient validation of SAML response parameters. Attackers require knowledge of the target email address and access to a separate organization on the same Sentry instance. The attack bypasses standard SAML security controls by manipulating assertion trust boundaries between organizations sharing Sentry infrastructure. Successful exploitation grants full account compromise without credentials. The fix in 26.4.1 implements proper assertion validation to prevent cross-organization authentication forgery.

Defensive priority

critical

Recommended defensive actions

  • Upgrade Sentry to version 26.4.1 or later immediately
  • Audit SAML SSO configuration and Identity Provider trust relationships
  • Review authentication logs for anomalous SAML assertions or unexpected cross-organization access patterns
  • Verify that SAML response validation enforces proper audience and recipient constraints
  • Consider temporarily disabling SAML SSO if patching cannot be performed immediately and alternative authentication methods are available
  • Implement additional monitoring for authentication events involving known administrative email addresses

Evidence notes

Vulnerability confirmed via NVD analysis with official vendor advisory from Sentry security team. Patch commit 0c67558ae7fe08738912d4c5233b53ead048da3b and pull request 113720 provide technical remediation details. Affected version range 21.12.0 to 26.4.0 explicitly defined in CPE criteria. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N confirms network-exploitable, low-complexity attack with no privileges or user interaction required.

Official resources

2026-05-08