CVE-2026-57956
SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.1EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
29 jun 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N
Productos afectados
SigNoz · signoz¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →