CVE-2026-26004 is a medium-severity authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Sentry error tracking and performance monitoring tool by getsentry. The vulnerability exists in versions prior to 26.1.0 within the GroupEventJsonView endpoint, which is responsible for rendering event data in JSON format. Due to improper access control, a user with low privileges can manipulate a user-controlled key parameter to bypass authorization checks and access event data belonging to other organizations. This cross-organization Insecure Direct Object Reference (IDOR) flaw allows unauthorized disclosure of potentially sensitive error and performance data across tenant boundaries in multi-tenant deployments. The vulnerability requires no user interaction and no elevated privileges beyond low-level access, increasing the risk of exploitation in environments where multiple organizations share the same Sentry instance. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high confidentiality impact (VC:H), but no impact on integrity or availability. The issue was addressed in Sentry version 26.1.0 by implementing proper authorization checks to ensure event data is only accessible to authorized users within their own organizations. No public exploits have been reported to date, but the vulnerability poses a risk to confidentiality in multi-tenant environments.

The primary impact of CVE-2026-26004 is unauthorized disclosure of sensitive event and error data across organizational boundaries in Sentry deployments. This can lead to leakage of potentially sensitive application debugging information, error logs, and performance metrics that may contain confidential or proprietary data. Such exposure could aid attackers in reconnaissance or facilitate further attacks against affected organizations. The vulnerability does not affect data integrity or system availability, limiting its impact to confidentiality breaches. Organizations using multi-tenant Sentry instances or shared environments are at higher risk, as attackers with low privileges can access other tenants' data. This may erode trust in the monitoring infrastructure and violate compliance requirements related to data segregation and privacy. Although no known exploits exist currently, the ease of exploitation and network accessibility make timely patching critical to prevent potential data breaches.

To mitigate CVE-2026-26004, organizations should upgrade all affected Sentry instances to version 26.1.0 or later, where the authorization bypass has been fixed. For environments where immediate upgrading is not feasible, implement strict network segmentation and access controls to limit user access to only their respective organizational data. Review and audit user privileges regularly to ensure minimal necessary access is granted. Enable detailed logging and monitoring of access to the GroupEventJsonView endpoint to detect any anomalous or unauthorized access attempts. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious parameter manipulation targeting this endpoint. Educate developers and administrators about the risks of IDOR vulnerabilities and enforce secure coding practices to prevent similar authorization bypass issues in custom integrations or extensions.