CVE-2026-63094
Received Received - Intake

Open Redirect in SigNoz SSO Authentication Flow

Vulnerability report for CVE-2026-63094, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: VulnCheck

Description

SigNoz through 0.133.0 contains an open redirect vulnerability in the SSO authentication flow that allows unauthenticated attackers to steal session tokens from any user on instances configured with Google OAuth, SAML, or OIDC. Attackers can call the unauthenticated sessions context endpoint with a ref parameter pointing to an attacker-controlled host, deliver the resulting crafted login URL to a victim, and receive the victim's access and refresh tokens when they complete SSO authentication.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
sig_noz signoz to 0.133.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

SigNoz through 0.133.0 has an open redirect vulnerability in its SSO authentication flow. Unauthenticated attackers can steal session tokens from users by exploiting an unvalidated 'ref' parameter in the /api/v2/sessions/context endpoint. Attackers craft malicious login URLs with a 'ref' pointing to their server, trick victims into authenticating, and then receive the victim's access and refresh tokens via the redirect.

Detection Guidance

To detect this vulnerability, check if your SigNoz instance is running version 0.133.0 or earlier. Inspect network traffic for suspicious OAuth callback URLs containing session tokens being redirected to external domains. Review logs for repeated requests to the /api/v2/sessions/context endpoint with arbitrary ref parameters.

Impact Analysis

If you use SigNoz with Google OAuth, SAML, or OIDC, an attacker could steal your session tokens. This means they could gain unauthorized access to your SigNoz account, view sensitive data, or perform actions on your behalf without your knowledge.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or sensitive data, violating GDPR's data protection principles and HIPAA's security requirements. It may result in data breaches, non-compliance penalties, and loss of trust in systems handling regulated data.

Mitigation Strategies

Upgrade SigNoz to a version beyond 0.133.0. Configure the oauth_state_secret and allowed_redirect_origins settings as per the fix. Ensure all OAuth providers (Google, OIDC, SAML) use signed states. Monitor for unauthorized token exfiltration attempts via network logs.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63094. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart