Impact
SigNoz version 0.130.1 contains a broken access control that lets an authenticated user supply a rule UUID and bypass tenant boundary checks, enabling read, edit, or delete of alert rules in other organizations. The missing tenant isolation leads to an indirect object reference (CWE‑639) that can compromise monitoring for co‑tenant environments by disabling alerts or misconfiguring thresholds.
Affected Systems
Any deployment of SigNoz up to and including 0.130.1 that is configured for multi‑tenant use is affected. Earlier releases that did not include this defect are not impacted, but all accounts should verify their current version.
Risk and Exploitability
The CVSS score of 6.1 reflects moderate severity, and the EPSS score is not available, indicating no publicly known exploits yet. The vulnerability is not listed in KEV. Exploitation is straightforward for authenticated users; they only need to know the target rule UUID and can then read, change, or delete that rule across the organization boundary, all through normal API or UI access. This makes the attack trivial in multi‑tenant setups without additional authorization enforcement.
OpenCVE Enrichment