Sentry 8.2.0 RCE: Authenticated Superusers Can Execute Arbitrary Code

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-94
Sentry 8.2.0 RCE: Authenticated Superusers Can Execute Arbitrary Code

The National Vulnerability Database has detailed CVE-2021-47935, a high-severity remote code execution (RCE) vulnerability impacting Sentry version 8.2.0. This flaw allows authenticated superusers to execute arbitrary commands by injecting malicious pickle-serialized objects. The attack vector involves submitting crafted POST requests to the admin audit log endpoint, embedding base64-encoded, compressed pickle payloads within the data field.

This vulnerability, with a CVSS score of 8.8 (HIGH), poses a significant risk. An attacker with superuser credentials can leverage this to achieve full code execution with the application’s privileges. While requiring authenticated superuser access limits the attack surface, the potential for complete system compromise makes this a critical issue for affected deployments.

Defenders must recognize that any compromise of a superuser account, whether through phishing, credential stuffing, or insider threat, immediately escalates to RCE in vulnerable Sentry instances. The core issue lies in insecure deserialization (CWE-94), a perennial problem that continues to plague applications handling untrusted data.

What This Means For You

  • If your organization uses Sentry 8.2.0, you are exposed. Prioritize patching or upgrading immediately. More critically, audit all superuser accounts for suspicious activity and strengthen credential management, including MFA, for these high-privilege accounts. An attacker's calculus here is simple: compromise a superuser, own the system.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Persistence T1059.001 PowerShell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2021-47935: Sentry Authenticated RCE via Pickle in Audit Log

Sigma YAML — free preview 
title: CVE-2021-47935: Sentry Authenticated RCE via Pickle in Audit Log
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
  Detects attempts to exploit CVE-2021-47935 by targeting the Sentry admin audit log endpoint with a POST request containing a pickle-serialized payload. The presence of '!!python/object/apply:os.system' within the 'data' parameter is a strong indicator of an attempt to execute arbitrary commands using the pickle deserialization vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2021-47935/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/admin/audit-log/'
      cs-method:
          - 'POST'
      selection_payload:
          data|contains:
              - '!!python/object/apply:os.system'
  condition: selection AND selection_payload
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2021-47935 RCE Sentry 8.2.0
CVE-2021-47935 RCE Injection of malicious pickle-serialized objects
CVE-2021-47935 RCE audit log entry data parameter
CVE-2021-47935 RCE POST requests to /admin/audit-log endpoint with base64-encoded compressed pickle payloads in the data field

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 10, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection

CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)

CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-59
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs /⚙ 3 Sigma

TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands

CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma