Description
Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Sentry's event ingestion pipeline, where a regex applied to attacker-controlled fields on incoming events can be made to consume disproportionate CPU time. This vulnerability is fixed in 26.5.2.
Published: 2026-06-24
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in Sentry’s event ingestion pipeline allows an attacker to submit crafted event data that contains a regular expression with high complexity, causing the server to consume excessive CPU resources and potentially become unresponsive. This flaw is characterized as a Regular Expression Denial of Service, a classic example of CWE‑1333, and directly impacts the availability of the Sentry service.

Affected Systems

The vulnerability affects the Sentry error‑tracking platform (getsentry:sentry), specifically all releases from version 24.4.0 up to, but not including, 26.5.2. Users running any of those versions are susceptible to the denial of service.

Risk and Exploitability

The CVSS score of 7.5 indicates high impact, while the EPSS score is not available, suggesting the exact exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending maliciously crafted events to the ingestion API, which does not require special privileges. Successful exploitation would consume CPU, degrade service performance, and could lead to a denial of service for legitimate users.

Generated by OpenCVE AI on June 24, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sentry to version 26.5.2 or later to apply the official fix.
  • If an upgrade cannot be performed immediately, restrict the event ingestion endpoint to trusted clients or implement network-level filtering to limit exposure to attacker‑controlled traffic.
  • Monitor CPU utilization on ingestion nodes and configure alerts or rate limits to detect and mitigate high‑consumption patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on June 24, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Sentry's event ingestion pipeline, where a regex applied to attacker-controlled fields on incoming events can be made to consume disproportionate CPU time. This vulnerability is fixed in 26.5.2.
Title Sentry: Inefficient Regular Expression Complexity in sentry
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T21:26:26.512Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52794

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T22:30:15Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity