CVE-2026-57955
HighCVSS 8.5Summary
A SQL injection vulnerability in SigNoz through version 0.130.1 allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of alert-history endpoints. Attackers can read all stored traces, logs, and metrics, or abuse the url() function for server-side request forgery (SSRF).
Risk Assessment
The risk includes full exposure of the organization's telemetry data (traces, logs, metrics) and the ability to perform SSRF attacks against internal network resources, potentially leading to further infrastructure compromise.
Recommendation
Immediately upgrade SigNoz to a version newer than 0.130.1 that contains the fix. Until the update is applied, restrict access to alert-history endpoints to trusted users only.
Original NVD description (English source)
SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.

