CVE-2026-57956

MEDIUM 6.4

SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules

CVSS Score

6.4

EPSS Score

0.0%

EPSS Percentile

0th

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.

CWE	CWE-639
Vendor	signoz
Product	signoz
Published	Jun 29, 2026
Last Updated	Jun 29, 2026

Stay Ahead of the Next One

Get instant alerts for signoz signoz

Be the first to know when new medium vulnerabilities affecting signoz signoz are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

High

Availability

Low

Affected Versions

SigNoz / signoz

0 ≤ 0.130.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/SigNoz/signoz/issues/11830 vulncheck.com: https://www.vulncheck.com/advisories/signoz-cross-organization-insecure-direct-object-reference-in-alert-rules

Credits

George Chen