Back to overview

CVE-2026-63094

HIGH
8.1
CVSS 3.1
Description
SigNoz through 0.133.0 contains an open redirect vulnerability in the SSO authentication flow that allows unauthenticated attackers to steal session tokens from any user on instances configured with Google OAuth, SAML, or OIDC. Attackers can call the unauthenticated sessions context endpoint with a ref parameter pointing to an attacker-controlled host, deliver the resulting crafted login URL to a victim, and receive the victim's access and refresh tokens when they complete SSO authentication.

Metadata

CVE ID
CVE-2026-63094
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-15 15:45 UTC
Published
2026-07-17 14:22 UTC
Last updated
2026-07-17 14:22 UTC
Primary CWE
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')
Vendor / Product
SigNoz / signoz
Sources
cve.org  ·  NVD

Severity & Metrics

8.1 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Affected products (1)
VendorProductPlatformVersions
SigNoz signoz 0 ≤ 0.133.0
Weakness (CWE)
CWESourceDescription
CWE-345 cna Insufficient Verification of Data Authenticity
CWE-601 cna URL Redirection to Untrusted Site ('Open Redirect')
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.1 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
7.6 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Back to overview