CVE-2026-57955

Received Received - Intake

SQL Injection in SigNoz Exposes ClickHouse Data

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description

SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-06-29

Last Modified

2026-06-29

Generated

2026-06-29

AI Q&A

2026-06-29

EPSS Evaluated

N/A

NVD

CVE-2026-57955

EUVD

EUVD-2026-40140

Affected Vendors & Products

Vendor	Product	Version / Range
signoz	signoz	0.130.1
signoz	signoz	to 0.130.1 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-57955 is a SQL injection vulnerability in SigNoz versions up to 0.130.1 affecting the alert-history API endpoints. Authenticated attackers can inject URL-encoded quotes into the rule ID path parameter, which is unsafely interpolated into ClickHouse queries without proper validation or parameterization.

This injection allows attackers to execute arbitrary ClickHouse queries, potentially breaking out of the intended query structure. The vulnerability exists because the rule ID parameter is passed directly using string formatting instead of safe parameterized queries.

Impact Analysis

Exploitation of this vulnerability allows an authenticated attacker to read all stored data in ClickHouse, including traces, logs, and metrics, which can lead to significant data exposure.

Additionally, if the ClickHouse server has outbound network access, attackers can abuse the url() function to perform server-side request forgery (SSRF), potentially accessing internal services or systems.

The vulnerability has a high severity score (CVSS v4.0 score of 8.3), indicating a serious impact on confidentiality, integrity, and availability of the affected system.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious requests to the alert-history API endpoints that include URL-encoded single quotes (%27) in the rule ID path parameter.

Specifically, look for POST requests to the following endpoints with unusual or malformed rule ID values:

POST /api/v1/rules/{id}/history/stats
POST /api/v1/rules/{id}/history/overall_status

You can use network monitoring tools or web server logs to search for requests containing %27 in the {id} path parameter.

Example command using grep on web server logs to find suspicious requests:

grep -E "/api/v1/rules/.+%27.+/history/(stats|overall_status)" access.log

Additionally, inspecting application logs for errors or unusual query patterns involving the rule ID parameter may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable alert-history endpoints to trusted users only, as the vulnerability requires authenticated access.

Avoid using versions of SigNoz up to and including 0.130.1, as these are confirmed vulnerable.

Apply the fix that validates the rule ID path parameter as a UUID before use and uses parameterized queries instead of string formatting to prevent SQL injection.

If an updated version or patch is available, upgrade SigNoz to a version that includes this fix.

In the meantime, monitor and block suspicious requests containing URL-encoded quotes (%27) in the rule ID path parameter.

Hi! I’m here to help you understand CVE-2026-57955. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

SQL Injection in SigNoz Exposes ClickHouse Data

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart