Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable authenticated low-priv user (PR:L) injects SQL; full telemetry read (C:H), SSRF crosses to other systems (S:C), limited integrity, no availability impact.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.
AnalysisAI
SQL injection in SigNoz observability platform (versions through 0.130.1) lets authenticated, low-privileged users inject arbitrary ClickHouse queries through the unsanitized rule ID path parameter of the alert-history endpoints. By URL-encoding quote characters that break out of the interpolated rule ID, an attacker can read every stored trace, log, and metric, and can abuse ClickHouse's url() table function to pivot into server-side request forgery against internal services. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated SigNoz account of at least low privilege (PR:L) with network access to the alert-history / rule-history endpoints, and the ability to send a crafted rule ID path parameter containing URL-encoded quote characters that escape the interpolated ClickHouse query string. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N, base 8.3) is internally consistent with the description: network-reachable, low complexity, requires an authenticated low-privilege account (PR:L), high confidentiality impact on the vulnerable system (full read of telemetry), and a high subsequent-system confidentiality impact (SC:H) reflecting the SSRF pivot. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged analyst (or an attacker who has phished or otherwise obtained any SigNoz login) sends a request to an alert-history endpoint with a rule ID containing URL-encoded quotes that break out of the interpolated ClickHouse query. They append a SELECT to dump traces, logs, and metrics belonging to other teams or tenants, then use a url()-based payload to make the ClickHouse server request an internal metadata or admin endpoint, achieving SSRF. … |
| Remediation | No vendor-released patched version is identified in the available data; the references point to a VulnCheck advisory and to GitHub issue SigNoz/signoz#11747 rather than a tagged release, so upgrade to the latest SigNoz build above 0.130.1 once a fixed version is published and confirmed by the project, and monitor issue #11747 for the patch commit. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40140
GHSA-h37r-3qfp-73w6