Description
Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with base64-encoded compressed pickle payloads in the data field to achieve code execution with application privileges.
Published: 2026-05-10
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sentry 8.2.0 contains a flaw that permits authenticated superusers to inject malicious pickle objects into the audit log entry data parameter; a crafted POST request to the admin audit log endpoint with a base64‑encoded, compressed pickle payload enables the attacker to execute arbitrary application‑level commands, giving them the privileges of the Sentry application. The vulnerability is a manifestation of code injection (CWE‑94), allowing the attacker to control process execution and compromise the confidentiality, integrity, and availability of the system.

Affected Systems

The affected product is Sentry by Sentry, version 8.2.0. No other versions are listed as impacted in the CNA data.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, and while an EPSS score is not available, the lack of an exploitation rate is not a factor to consider because the attack requires an authenticated superuser. Since the vulnerability is not listed in CISA KEV, it is not yet a known exploited vulnerability but it remains a significant risk for any Sentry deployment that uses the audit log feature with superuser access. An attacker equipped with superuser credentials can send a crafted request directly to the audit log endpoint and cause remote code execution on the server hosting the Sentry application.

Generated by OpenCVE AI on May 10, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sentry to a version that removes the ability to deserialize arbitrary pickle data (for example, migrate to a newer release where this exploit is fixed).
  • If an upgrade is not immediately possible, disable or restrict the audit log entry data field so that it no longer accepts user‑supplied pickle payloads, or replace it with safe, non‑serializable input.
  • Limit superuser privileges to only those accounts that truly require them, ensuring that no unnecessary users can send audit‑log requests; monitor for anomalous POST activity to the admin audit log endpoint.

Generated by OpenCVE AI on May 10, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with base64-encoded compressed pickle payloads in the data field to achieve code execution with application privileges.
Title Sentry 8.2.0 Remote Code Execution via Pickle Deserialization
First Time appeared Sentry
Sentry sentry
Weaknesses CWE-94
CPEs cpe:2.3:a:sentry:sentry:8.2.0:*:*:*:*:*:*:*
Vendors & Products Sentry
Sentry sentry
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Sentry Sentry
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T14:44:21.054Z

Reserved: 2026-02-01T11:24:18.717Z

Link: CVE-2021-47935

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:29.693

Modified: 2026-05-10T13:16:29.693

Link: CVE-2021-47935

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:45:14Z

Weaknesses