{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26004", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T17:41:55.860Z", "datePublished": "2026-03-17T23:21:35.460Z", "dateUpdated": "2026-03-18T20:17:22.669Z"}, "containers": {"cna": {"title": "Sentry allows unauthorized access to event data across organizational boundaries", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2025-130_Sentry/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2025-130_Sentry/"}, {"name": "https://github.com/getsentry/sentry/pull/105601", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/sentry/pull/105601"}, {"name": "https://github.com/getsentry/sentry/commit/45bc78fd57514a04eb62e73dd1eeb3ca2d723997", "tags": ["x_refsource_MISC"], "url": "https://github.com/getsentry/sentry/commit/45bc78fd57514a04eb62e73dd1eeb3ca2d723997"}], "affected": [{"vendor": "getsentry", "product": "sentry", "versions": [{"version": "< 26.1.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:21:35.460Z"}, "descriptions": [{"lang": "en", "value": "Sentry is a developer-first error tracking and performance monitoring tool. Versions prior to 26.1.0 have a cross-organization Insecure Direct Object Reference (IDOR) vulnerability in Sentry's GroupEventJsonView endpoint. Version 26.1.0 patches the issue."}], "source": {"advisory": "GHSA-pg63-mwq7-pqf6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T20:17:13.579964Z", "id": "CVE-2026-26004", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:17:22.669Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26004", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T20:17:13.579964Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T20:17:17.137Z"}}], "cna": {"title": "Sentry allows unauthorized access to event data across organizational boundaries", "source": {"advisory": "GHSA-pg63-mwq7-pqf6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "getsentry", "product": "sentry", "versions": [{"status": "affected", "version": "< 26.1.0"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2025-130_Sentry/", "name": "https://securitylab.github.com/advisories/GHSL-2025-130_Sentry/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/getsentry/sentry/pull/105601", "name": "https://github.com/getsentry/sentry/pull/105601", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/getsentry/sentry/commit/45bc78fd57514a04eb62e73dd1eeb3ca2d723997", "name": "https://github.com/getsentry/sentry/commit/45bc78fd57514a04eb62e73dd1eeb3ca2d723997", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sentry is a developer-first error tracking and performance monitoring tool. Versions prior to 26.1.0 have a cross-organization Insecure Direct Object Reference (IDOR) vulnerability in Sentry's GroupEventJsonView endpoint. Version 26.1.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T23:21:35.460Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26004", "state": "PUBLISHED", "dateUpdated": "2026-03-18T20:17:22.669Z", "dateReserved": "2026-02-09T17:41:55.860Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-17T23:21:35.460Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sentry:sentry:*:*:*:*:*:*:*:*", "matchCriteriaId": "3A39D4D3-C991-4C89-A3F9-250CF2397D6E", "versionEndExcluding": "26.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sentry is a developer-first error tracking and performance monitoring tool. Versions prior to 26.1.0 have a cross-organization Insecure Direct Object Reference (IDOR) vulnerability in Sentry's GroupEventJsonView endpoint. Version 26.1.0 patches the issue."}, {"lang": "es", "value": "Sentry es una herramienta de seguimiento de errores y monitoreo de rendimiento orientada a desarrolladores. Las versiones anteriores a la 26.1.0 tienen una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) interorganizacional en el endpoint GroupEventJsonView de Sentry. La versi\u00f3n 26.1.0 corrige el problema."}], "id": "CVE-2026-26004", "lastModified": "2026-03-23T18:12:48.333", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-18T00:16:18.943", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/getsentry/sentry/commit/45bc78fd57514a04eb62e73dd1eeb3ca2d723997"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/getsentry/sentry/pull/105601"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2025-130_Sentry/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,26.1.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sentry", "source": "cna", "vendor": "getsentry"}, "product": "sentry", "vendor": "getsentry"}], "analysis": {"en": {"generated_at": "2026-03-23T19:29:37.992646+00:00", "value": {"mitigation_remediation": ["Upgrade Sentry to version\u202f26.1.0 or later", "Verify that the GroupEventJsonView functionality is no longer accessible to users from other organizations", "If upgrade is not yet possible, restrict API key permissions to limit cross\u2011organization data access"], "summary": {"action": "Patch NOW", "impact": "Cross-organization data exposure"}, "threat_synthesis": {"affected_systems": "The issue affects all Sentry instances released before version 26.1.0. The affected vendor is getsentry, and the product is Sentry error tracking and performance monitoring. Version 26.1.0 and later contain a patch that removes the vulnerable endpoint behavior.", "description_and_impact": "Sentry\u2019s GroupEventJsonView endpoint is vulnerable to an Insecure Direct Object Reference, allowing an authenticated user to retrieve event data belonging to other organizations. This IDOR flaw leads to unauthorized access to potentially sensitive error and performance information, compromising confidentiality across organizational boundaries. The vulnerability is classified as CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 5.7 indicates a moderate risk, and the EPSS score is negligible (<1\u202f%). The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Exploitation requires possession of an authenticated account within one organization; the attacker can then request event data for other organizations through the compromised endpoint. No additional escalation or privileges are required beyond normal user access, but the impact spans across all organizations using a shared Sentry deployment."}}}}, "created": "2026-03-18T10:42:33.922572+00:00", "updated": "2026-03-24T10:54:22.636736+00:00", "vendors": ["getsentry", "getsentry$PRODUCT$sentry"]}