Sentry: Superusers can execute arbitrary commands by injecting malicious pickle-serialized objects through audit log entry data parameter

GHSA-444r-2whx-3685 · CVE-2021-47935 · PYSEC-2026-131

Published May 10, 2026 · Modified Jun 9, 2026

Description

Sentry 8.2.0 contains a remote code execution vulnerability that allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects through the audit log entry data parameter. Attackers can submit crafted POST requests to the admin audit log endpoint with base64-encoded compressed pickle payloads in the data field to achieve code execution with application privileges.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2021-47935
WEB https://github.com/getsentry/sentry/commit/19a0ba63d9ffb6aff79c7b78e2fa951a94edd61a
WEB https://github.com/getsentry/sentry/commit/1f6090dc64b237c3da22bf35a5863a7136ac4669
PACKAGE https://github.com/getsentry/sentry
WEB https://github.com/pypa/advisory-database/tree/main/vulns/sentry/PYSEC-2026-131.yaml
WEB https://sentry.io/welcome
WEB https://www.exploit-db.com/exploits/50318
WEB https://www.vulncheck.com/advisories/sentry-remote-code-execution-via-pickle-deserialization

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes