Sentry CVE-2026-27197 — Critical SAML SSO Account Takeover (May 2026)

Sentry on May 4, 2026 published a security advisory disclosing a critical SAML SSO authentication flaw, tracked as CVE-2026-27197 (also reported as CVE-2026-42354), that allowed attackers to take over any user account on multi-organization, self-hosted Sentry instances simply by knowing the victim's email address. The Sentry SaaS service was patched silently on February 18, 2026; self-hosted operators must upgrade to Sentry 26.2.0 or later.

What Happened

According to advisory GHSA-ggmg-cqg6-j45g, all Sentry self-hosted versions from 21.12.0 through 26.1.0 mishandled SAML identity-provider responses. When a user signed in via SAML, Sentry linked the assertion to an existing internal user account using only the email address in the assertion — without verifying that the asserting IdP belonged to the user's own organization.

An attacker who could spin up a second organization on the same Sentry instance and configure a malicious SAML IdP could craft a SAML assertion containing a victim's email address and have Sentry link the victim's account to a session under the attacker's control. The result: a complete account takeover with no credential phishing required, only knowledge of the target's email.

Sentry getsentry/sentry GitHub repository — the project that issued the SAML SSO advisory — Sentry's getsentry/sentry repository — where the GHSA-ggmg-cqg6-j45g advisory was published.

Key Details

CVE: CVE-2026-27197 (CWE-287, Improper Authentication). Severity: Critical.
Affected versions: Sentry self-hosted 21.12.0 through 26.1.0.
Fixed in: Sentry 26.2.0.
SaaS users (sentry.io): already patched on February 18, 2026 — no action required.
Attack precondition: the instance must run with SENTRY_SINGLE_ORGANIZATION = False and the attacker must already have permission to modify SSO settings on a separate organization within the same instance.
Impact: takeover of any account with a known email address — exposing error data, source maps, performance traces and integration tokens.

What Developers and Users Are Saying

On the Hacker News and r/netsec threads tracking the disclosure, engineers focused on the dangerous overlap of two implementation choices: trusting the email field in a SAML assertion as a stable identity, and allowing per-organization SAML configuration on the same multi-tenant instance. Several commenters pointed out that this is the same class of bug that hit other multi-tenant SAML implementations earlier in 2026, calling it "SAML's rough quarter." On the GitHub advisory, Sentry credited the security researcher who reported the issue and noted that two-factor authentication on user accounts blocks the attack chain even on unpatched servers — a workaround for teams that cannot upgrade immediately.

What This Means for Developers

If you operate a self-hosted, multi-org Sentry installation, treat this as urgent: upgrade to 26.2.0+, and review SSO configurations and audit logs for unexpected IdP entries on tenant orgs. If you cannot upgrade immediately, set SENTRY_SINGLE_ORGANIZATION = True, restrict who can edit SSO settings, and require account-level 2FA for all users. SaaS customers do not need to take action, but should still verify that 2FA is enforced for their organization.

What's Next

Sentry recommends all self-hosted operators move to the latest 26.x line. The advisory is the fourth high-profile SAML implementation flaw disclosed across major SaaS vendors in 2026, and is likely to push more teams toward enforcing IdP allow-lists and per-organization SAML certificate pinning. Watch the Sentry releases page and the security advisories tab for follow-up patches.

Sources

GitHub Security Advisory GHSA-ggmg-cqg6-j45g — primary disclosure from the Sentry security team.
GitLab Advisory Database — CVE-2026-27197 — independent CVE listing with affected version range.
The Hacker Wire — Sentry Critical SAML SSO Bypass Allows Account Takeover — third-party reporting on the disclosure.
CCB Belgium Safeonweb advisory — national CERT bulletin urging immediate patching.
WorkOS — SAML's rough quarter, five critical vulnerabilities in four months — broader context on 2026 SAML implementation issues.
DailyCVE — CVE-2026-42354 entry — alternate CVE listing covering the same advisory.