Description
SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.
Severity (CVSS)
| Base score | 8.3 |
|---|---|
| Severity | High |
| Version | CVSS 4.0 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N |
| Provided by | CNA |
Weaknesses
- CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Affected products
| Vendor | Product | Versions |
|---|---|---|
| SigNoz | signoz | 0 to <=0.130.1 |
References
- https://github.com/SigNoz/signoz/issues/11747 (issue-tracking)
- https://www.vulncheck.com/advisories/signoz-sql-injection-in-alert-history-endpoints-via-rule-id-parameter (third-party-advisory)
Generated from the official CVE List on 30 Jun 2026 07:04 UTC.