CVE-2026-26004 is a medium-severity authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Sentry error tracking and performance monitoring tool. Specifically, versions of Sentry prior to 26.1.0 contain an insecure direct object reference (IDOR) vulnerability in the GroupEventJsonView endpoint. This endpoint improperly validates user permissions when accessing event data, allowing an attacker with low privileges (no authentication elevation required) to access event information belonging to other organizations. The vulnerability arises because the endpoint uses user-controlled keys to fetch data without adequate authorization checks, enabling cross-organization data exposure. The vulnerability is remotely exploitable over the network without user interaction, increasing its risk profile. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high confidentiality impact but no integrity or availability impact. The flaw was publicly disclosed on March 17, 2026, and patched in Sentry version 26.1.0. No known exploits have been reported in the wild to date. The vulnerability primarily threatens confidentiality by exposing sensitive event data across organizational boundaries, which could include error logs, performance metrics, and potentially sensitive debugging information.

The primary impact of CVE-2026-26004 is unauthorized disclosure of sensitive event and error tracking data across organizational boundaries. This can lead to leakage of proprietary or sensitive information such as application errors, stack traces, user data, or performance metrics that organizations rely on for debugging and monitoring. Exposure of such data could aid attackers in reconnaissance, facilitate further attacks, or violate privacy and compliance requirements. Since Sentry is widely used by development teams globally, organizations using vulnerable versions risk cross-tenant data leakage, undermining trust and potentially causing reputational damage. The vulnerability does not affect data integrity or availability but compromises confidentiality, which is critical in multi-tenant environments. The ease of exploitation (no privileges or user interaction required) increases the likelihood of unauthorized access if the vulnerable endpoint is exposed. Organizations relying on Sentry for error monitoring should consider this a significant risk to their operational security and data privacy.

The definitive mitigation is to upgrade Sentry installations to version 26.1.0 or later, where the vulnerability has been patched. Organizations should prioritize this upgrade in their patch management processes. If immediate upgrade is not feasible, restricting access to the GroupEventJsonView endpoint through network-level controls such as firewalls or VPNs can reduce exposure. Implementing strict access controls and monitoring access logs for unusual activity related to this endpoint can help detect exploitation attempts. Additionally, organizations should review their Sentry configurations to ensure multi-tenant isolation is enforced and consider applying application-layer access controls or reverse proxies that validate user permissions before forwarding requests. Regular security audits and penetration testing focused on authorization controls in Sentry deployments are recommended to identify any residual weaknesses. Finally, educating development and security teams about the risks of IDOR vulnerabilities and secure coding practices can prevent similar issues in the future.