CVE-2026-63094 in SigNozinfo

Summary

by MITRE • 07/17/2026

SigNoz through 0.133.0 contains an open redirect vulnerability in the SSO authentication flow that allows unauthenticated attackers to steal session tokens from any user on instances configured with Google OAuth, SAML, or OIDC. Attackers can call the unauthenticated sessions context endpoint with a ref parameter pointing to an attacker-controlled host, deliver the resulting crafted login URL to a victim, and receive the victim's access and refresh tokens when they complete SSO authentication.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

This vulnerability exists within SigNoz versions up to 0.133.0 and represents a critical open redirect flaw in the single sign-on authentication mechanism. The issue specifically affects systems configured with Google OAuth, SAML, or OIDC authentication methods where the application fails to properly validate redirect URLs during the authentication flow. The vulnerability stems from insufficient input validation of the ref parameter in the unauthenticated sessions context endpoint, allowing attackers to manipulate the redirect destination to arbitrary hosts controlled by the attacker.

The technical implementation of this flaw enables attackers to construct malicious login URLs that appear legitimate to users while secretly redirecting them to attacker-controlled domains. When victims click these crafted links and complete the SSO authentication process, their access and refresh tokens are transmitted to the attacker's infrastructure instead of the legitimate application server. This occurs because the application does not perform proper URL validation or canonicalization checks before establishing the redirect path. The vulnerability operates at the application layer and leverages the trust relationship between the authentication provider and the application, making it particularly dangerous as users are typically unaware they are being redirected to malicious infrastructure.

The operational impact of this vulnerability is severe as it allows for complete session hijacking without requiring any prior authentication credentials from the attacker. An attacker can target any user within the system who has access to the vulnerable SigNoz instance, potentially gaining access to sensitive monitoring data, configuration settings, and administrative capabilities. The attack chain involves initial reconnaissance to identify vulnerable instances, crafting malicious URLs with the ref parameter pointing to attacker-controlled domains, delivering these links through social engineering or other means, and then capturing the tokens when victims authenticate successfully. This vulnerability directly maps to CWE-601 Open Redirect and aligns with ATT&CK technique T1566.002 for credential access through social engineering.

Mitigation strategies should focus on implementing strict URL validation mechanisms that reject any redirect destinations outside of predefined trusted domains. Organizations should enforce whitelisting of allowed redirect URLs in the SSO configuration, implement proper input sanitization of all parameters passed to authentication endpoints, and consider using state parameters with cryptographic signatures to prevent manipulation of the authentication flow. Additionally, organizations should immediately update to SigNoz versions that have patched this vulnerability and conduct thorough security reviews of all authentication flows within their applications. Network-level monitoring should be enhanced to detect unusual redirect patterns and token transmission to external domains, while security teams should implement proper session management practices including short-lived tokens and robust token validation mechanisms to minimize the impact if exploitation occurs.

Responsible

VulnCheck

Reservation

07/15/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!