← back
CVE-2026-57956

SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules

CVSS 6.1 MEDIUMEPSS 0.2%CWE-639
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.1EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
29 Jun 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
Affected products
SigNoz · signoz

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →