CVE-2026-57956 MEDIUM

CVE-2026-57956: SigNoz 0.130.1 - Cross-Organization Insecure Direct Object Reference in Alert Rules

Vendor Signoz
Product signoz
Weakness CWE-639 · IDOR
Published June 29, 2026
Last update June 29, 2026

CVSS base score

6.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.

Key dates

02Disclosure timeline

June 29, 2026 CVE published
June 29, 2026 Record updated