CVE-2026-57955 in signozinfo

Summary

by MITRE • 06/29/2026

SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/30/2026

This vulnerability exists within SigNoz version 0.130.1 and earlier, representing a critical SQL injection flaw that compromises the integrity of the monitoring platform's data access mechanisms. The vulnerability specifically affects the alert-history endpoints where the rule ID parameter is processed without proper input sanitization, creating an avenue for authenticated attackers to manipulate database queries through URL-encoded quotes. The technical implementation involves direct interpolation of user-supplied rule IDs into ClickHouse query strings, bypassing normal parameterized query execution patterns that would typically prevent such injection attacks.

The operational impact of this vulnerability extends beyond simple data exfiltration, as it provides attackers with comprehensive access to all stored monitoring data including traces, logs, and metrics that the system maintains. This represents a significant compromise of the platform's confidentiality controls and can expose sensitive operational information that organizations rely on for security monitoring and compliance purposes. The vulnerability enables attackers to perform unauthorized data access at scale, potentially exposing infrastructure insights, application performance data, and system behavior patterns that could inform further attacks.

The exploitation mechanism leverages the ClickHouse database's url() function as an additional attack vector, allowing adversaries to execute server-side request forgery attacks through the injected SQL queries. This extension of the vulnerability's capabilities demonstrates how a single injection point can be weaponized for multiple attack objectives, including data exfiltration through external connections and potential lateral movement within network environments. The combination of data reading capabilities and SSRF exploitation creates a particularly dangerous scenario for organizations relying on SigNoz for their monitoring infrastructure.

Organizations should implement immediate mitigations including input validation and sanitization of all user-supplied parameters in API endpoints, particularly those that interact with backend databases. The solution requires proper parameterized query construction to prevent direct string interpolation of user inputs into SQL commands. Additionally, implementing robust access controls and monitoring for unusual API access patterns can help detect exploitation attempts. This vulnerability aligns with CWE-89 SQL injection and follows attack patterns documented in the ATT&CK framework under T1071.004 Application Layer Protocol and T1566.002 Phishing: Spearphishing Attachment, as attackers may use this vulnerability to gain unauthorized access to sensitive monitoring data that could be used for further targeting of systems within the monitored environment.

The security implications extend to compliance requirements where organizations must maintain proper segregation of monitoring data and prevent unauthorized access to operational insights. This vulnerability essentially removes the database-level access controls that should protect sensitive monitoring information, potentially violating data protection regulations and security framework requirements such as those outlined in ISO 27001 and NIST Cybersecurity Framework. Regular security assessments and input validation reviews should be implemented to prevent similar issues in other components of the monitoring stack, particularly in systems where database interactions are not properly abstracted through secure query execution patterns.

Responsible

VulnCheck

Reservation

06/26/2026

Disclosure

06/29/2026

Moderation

accepted

CPE

ready

EPSS

0.00235

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!