Description
Sentry is a developer-first error tracking and performance monitoring tool. Versions prior to 26.1.0 have a cross-organization Insecure Direct Object Reference (IDOR) vulnerability in Sentry's GroupEventJsonView endpoint. Version 26.1.0 patches the issue.
Published: 2026-03-17
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-organization data exposure
Action: Patch NOW
AI Analysis

Impact

Sentry’s GroupEventJsonView endpoint is vulnerable to an Insecure Direct Object Reference, allowing an authenticated user to retrieve event data belonging to other organizations. This IDOR flaw leads to unauthorized access to potentially sensitive error and performance information, compromising confidentiality across organizational boundaries. The vulnerability is classified as CWE‑639.

Affected Systems

The issue affects all Sentry instances released before version 26.1.0. The affected vendor is getsentry, and the product is Sentry error tracking and performance monitoring. Version 26.1.0 and later contain a patch that removes the vulnerable endpoint behavior.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate risk, and the EPSS score is negligible (<1 %). The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Exploitation requires possession of an authenticated account within one organization; the attacker can then request event data for other organizations through the compromised endpoint. No additional escalation or privileges are required beyond normal user access, but the impact spans across all organizations using a shared Sentry deployment.

Generated by OpenCVE AI on March 23, 2026 at 19:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sentry to version 26.1.0 or later
  • Verify that the GroupEventJsonView functionality is no longer accessible to users from other organizations
  • If upgrade is not yet possible, restrict API key permissions to limit cross‑organization data access

Generated by OpenCVE AI on March 23, 2026 at 19:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Sentry
Sentry sentry
CPEs cpe:2.3:a:sentry:sentry:*:*:*:*:*:*:*:*
Vendors & Products Sentry
Sentry sentry
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 18 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Getsentry
Getsentry sentry
Vendors & Products Getsentry
Getsentry sentry

Tue, 17 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description Sentry is a developer-first error tracking and performance monitoring tool. Versions prior to 26.1.0 have a cross-organization Insecure Direct Object Reference (IDOR) vulnerability in Sentry's GroupEventJsonView endpoint. Version 26.1.0 patches the issue.
Title Sentry allows unauthorized access to event data across organizational boundaries
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Getsentry Sentry
Sentry Sentry
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T20:17:22.669Z

Reserved: 2026-02-09T17:41:55.860Z

Link: CVE-2026-26004

cve-icon Vulnrichment

Updated: 2026-03-18T20:17:17.137Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T00:16:18.943

Modified: 2026-03-23T18:12:48.333

Link: CVE-2026-26004

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:22Z

Weaknesses