Description
SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.
Published: 2026-06-29
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SigNoz version 0.130.1 contains a broken access control that lets an authenticated user supply a rule UUID and bypass tenant boundary checks, enabling read, edit, or delete of alert rules in other organizations. The missing tenant isolation leads to an indirect object reference (CWE‑639) that can compromise monitoring for co‑tenant environments by disabling alerts or misconfiguring thresholds.

Affected Systems

Any deployment of SigNoz up to and including 0.130.1 that is configured for multi‑tenant use is affected. Earlier releases that did not include this defect are not impacted, but all accounts should verify their current version.

Risk and Exploitability

The CVSS score of 6.1 reflects moderate severity, and the EPSS score is not available, indicating no publicly known exploits yet. The vulnerability is not listed in KEV. Exploitation is straightforward for authenticated users; they only need to know the target rule UUID and can then read, change, or delete that rule across the organization boundary, all through normal API or UI access. This makes the attack trivial in multi‑tenant setups without additional authorization enforcement.

Generated by OpenCVE AI on June 29, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade SigNoz to the latest available release that resolves the IDOR flaw, such as 0.130.2 or newer.
  • If an immediate upgrade is not possible, restrict API and UI access for alert‑rule management to only trusted administrators of each organization and review current permission sets to prevent cross‑tenant manipulation.
  • Audit existing alert‑rule identifiers and monitor for unauthorized read, update, or delete operations across organization boundaries to detect potential abuse.

Generated by OpenCVE AI on June 29, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Signoz
Signoz signoz
Vendors & Products Signoz
Signoz signoz

Mon, 29 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.
Title SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L'}

cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-29T19:22:46.011Z

Reserved: 2026-06-26T13:59:33.048Z

Link: CVE-2026-57956

cve-icon Vulnrichment

Updated: 2026-06-29T19:22:40.359Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:03:52Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key