CVE-2026-57956 | SigNoz through 0.130.1 contains a broken access control vuln… | CVSS 6.4 MEDIUM

Description

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.

Metadata

CVE ID: CVE-2026-57956
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-26 13:59 UTC
Published: 2026-06-29 17:22 UTC
Last updated: 2026-06-29 19:22 UTC
Primary CWE: CWE-639
Authorization Bypass Through User-Controlled Key
Vendor / Product: SigNoz / signoz
Sources: cve.org · NVD

Severity & Metrics

6.4 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
SigNoz	signoz	—	0 ≤ 0.130.1

Weakness (CWE)

CWE	Source	Description
CWE-639	cna	Authorization Bypass Through User-Controlled Key

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.4	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
6.1	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

References (2)