SQL Injection Vulnerability in SigNoz Product by SigNoz
CVE-2026-57955

8.3HIGH

Key Information:

Vendor: Signoz
Status: Signoz
Vendor: CVE Published:; 29 June 2026

What is CVE-2026-57955?

The SigNoz product version 0.130.1 is affected by a SQL injection vulnerability that enables authenticated attackers to perform unauthorized actions via the alert-history endpoint. By injecting URL-encoded quotes into the rule ID path parameter, attackers can manipulate unsanitized data to execute arbitrary queries on ClickHouse. This exploitation could allow them to access stored traces, logs, and metrics, or utilize the url() function to initiate server-side request forgery attacks.

Affected Version(s)

signoz 0 <= 0.130.1

References

https://github.com/SigNoz/signoz/issues/11747

issue-tracking

https://www.vulncheck.com/advisories/signoz-sql-injection...

third-party-advisory

CVSS V4

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 29, 2026
Vulnerability Reserved
Jun 26, 2026

Credit

George Chen

CVE-2026-57955 Data

JSON

Signoz

What is CVE-2026-57955?

Affected Version(s)

References

CVSS V4

Timeline

Credit