Skip to main content

SigNoz CVE-2026-57955

| EUVDEUVD-2026-40140 HIGH
SQL Injection (CWE-89)
2026-06-29 disclosure@vulncheck.com GHSA-h37r-3qfp-73w6
8.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

Network-reachable authenticated low-priv user (PR:L) injects SQL; full telemetry read (C:H), SSRF crosses to other systems (S:C), limited integrity, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVE Published
Jun 29, 2026 - 18:37 cve.org
HIGH 8.3
Analysis Generated
Jun 29, 2026 - 18:35 vuln.today

DescriptionCVE.org

SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.

AnalysisAI

SQL injection in SigNoz observability platform (versions through 0.130.1) lets authenticated, low-privileged users inject arbitrary ClickHouse queries through the unsanitized rule ID path parameter of the alert-history endpoints. By URL-encoding quote characters that break out of the interpolated rule ID, an attacker can read every stored trace, log, and metric, and can abuse ClickHouse's url() table function to pivot into server-side request forgery against internal services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to SigNoz with low-privilege account
Delivery
Craft rule ID with URL-encoded quotes
Exploit
Break out of interpolated ClickHouse query
Execution
Inject SELECT or url() payload
Impact
Exfiltrate all traces/logs/metrics or trigger SSRF

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated SigNoz account of at least low privilege (PR:L) with network access to the alert-history / rule-history endpoints, and the ability to send a crafted rule ID path parameter containing URL-encoded quote characters that escape the interpolated ClickHouse query string. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N, base 8.3) is internally consistent with the description: network-reachable, low complexity, requires an authenticated low-privilege account (PR:L), high confidentiality impact on the vulnerable system (full read of telemetry), and a high subsequent-system confidentiality impact (SC:H) reflecting the SSRF pivot. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged analyst (or an attacker who has phished or otherwise obtained any SigNoz login) sends a request to an alert-history endpoint with a rule ID containing URL-encoded quotes that break out of the interpolated ClickHouse query. They append a SELECT to dump traces, logs, and metrics belonging to other teams or tenants, then use a url()-based payload to make the ClickHouse server request an internal metadata or admin endpoint, achieving SSRF. …
Remediation No vendor-released patched version is identified in the available data; the references point to a VulnCheck advisory and to GitHub issue SigNoz/signoz#11747 rather than a tagged release, so upgrade to the latest SigNoz build above 0.130.1 once a fixed version is published and confirmed by the project, and monitor issue #11747 for the patch commit. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy