Description
Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Sentry's event ingestion pipeline, where a regex applied to attacker-controlled fields on incoming events can be made to consume disproportionate CPU time. This vulnerability is fixed in 26.5.2.
Published: 2026-06-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in Sentry’s event ingestion pipeline allows an attacker to submit crafted event data that contains a regular expression with high complexity, causing the server to consume excessive CPU resources and potentially become unresponsive. This flaw is characterized as a Regular Expression Denial of Service, a classic example of CWE‑1333, and directly impacts the availability of the Sentry service.

Affected Systems

The vulnerability affects the Sentry error‑tracking platform (getsentry:sentry), specifically all releases from version 24.4.0 up to, but not including, 26.5.2. Users running any of those versions are susceptible to the denial of service.

Risk and Exploitability

The CVSS score of 7.5 indicates high impact, while the EPSS score is not available, suggesting the exact exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector involves sending maliciously crafted events to the ingestion API, which does not require special privileges. Successful exploitation would consume CPU, degrade service performance, and could lead to a denial of service for legitimate users.

Generated by OpenCVE AI on June 25, 2026 at 00:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sentry to version 26.5.2 or later to apply the official fix.
  • If an upgrade cannot be performed immediately, restrict the event ingestion endpoint to trusted clients or implement network-level filtering to limit exposure to attacker‑controlled traffic.
  • Monitor CPU utilization on ingestion nodes and configure alerts or rate limits to detect and mitigate high‑consumption patterns that may indicate exploitation attempts.

Generated by OpenCVE AI on June 25, 2026 at 00:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
First Time appeared Getsentry
Getsentry sentry
Vendors & Products Getsentry
Getsentry sentry

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Sentry's event ingestion pipeline, where a regex applied to attacker-controlled fields on incoming events can be made to consume disproportionate CPU time. This vulnerability is fixed in 26.5.2.
Title Sentry: Inefficient Regular Expression Complexity in sentry
Weaknesses CWE-1333
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

Getsentry Sentry
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T13:52:33.945Z

Reserved: 2026-06-08T18:02:19.731Z

Link: CVE-2026-52794

cve-icon Vulnrichment

Updated: 2026-06-25T13:52:20.241Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T05:45:02Z

Weaknesses
  • CWE-1333

    Inefficient Regular Expression Complexity