Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network API requires authenticated low-privilege user (PR:L) and UUID knowledge (AC:H); integrity is High for unrestricted foreign rule edit/delete, no scope change within same application.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
SigNoz through 0.130.1 contains a broken access control vulnerability that allows authenticated users to access other organizations' alert rules by supplying a target rule UUID, as the alert rule store predicates fail to filter by organization ID. Attackers can read, edit, and delete alert rules belonging to other organizations by exploiting the missing tenant isolation check, bypassing multi-tenant access controls.
AnalysisAI
Broken tenant isolation in SigNoz through 0.130.1 allows authenticated users from one organization to read, modify, and delete alert rules belonging to entirely separate organizations by directly supplying a target rule UUID via API. The alert rule store predicates omit organization ID filtering - a textbook Insecure Direct Object Reference (CWE-639) - collapsing the multi-tenant access boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid, authenticated SigNoz session with at minimum low-privilege access (PR:L) - any account in any organization on the target instance qualifies. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 6.1 with vector AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N characterizes this as a network-accessible, low-privilege flaw with high attack complexity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated attacker holding a low-privilege account in Organization A on a shared SigNoz instance iterates over likely UUID patterns or harvests a rule UUID through a side channel, then issues a standard alert rule API request substituting that foreign UUID. The missing organization ID predicate causes the backend to return or modify Organization B's alert rule without error. … |
| Remediation | Upgrade SigNoz beyond version 0.130.1 once a patched release is published by the maintainers - track fix status via the upstream GitHub issue at https://github.com/SigNoz/signoz/issues/11830, as no specific fixed version was confirmed in available intelligence at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40141
GHSA-3vgg-7h5g-62mm