CVE Catalog

CVE-2026-57956

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Summary

A vulnerability in SigNoz through version 0.130.1 allows authenticated users to access alert rules of other organizations by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. This enables bypassing multi-tenant access controls.

Risk Assessment

Attackers can read, edit, and delete alert rules belonging to other organizations, leading to breaches of confidentiality, integrity, and availability, as well as potential disruption of monitored systems.

Recommendation

Immediately upgrade SigNoz to a version later than 0.130.1, which includes a fix for the broken access control. Until then, restrict access to the alert rules API to trusted users only.

Original NVD description (English source)

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS