{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/signoz/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-63094"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SigNoz \u003c= 0.133.0"],"_cs_severities":["high"],"_cs_tags":["open-redirect","sso","vulnerability","web-application","credential-theft"],"_cs_type":"advisory","_cs_vendors":["SigNoz"],"content_html":"\u003cp\u003eAn open redirect vulnerability, identified as CVE-2026-63094, has been discovered in SigNoz versions up to and including 0.133.0. This flaw affects instances configured to use Single Sign-On (SSO) authentication methods such as Google OAuth, SAML, or OIDC. Unauthenticated attackers can leverage this vulnerability by crafting a specific login URL containing a malicious \u003ccode\u003eref\u003c/code\u003e parameter. This parameter, when exploited, directs the victim to an attacker-controlled host after they complete a legitimate SSO authentication process. The primary objective of this attack is to steal the victim's session tokens, including access and refresh tokens, which could then be used to impersonate the user and gain unauthorized access to their SigNoz instance and potentially other linked services. The absence of proper validation for the \u003ccode\u003eref\u003c/code\u003e parameter in the SSO authentication flow is the root cause, making this a critical concern for defenders, as it allows for easy credential harvesting.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable SigNoz instance configured with Google OAuth, SAML, or OIDC.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL for the \u0026quot;unauthenticated sessions context endpoint\u0026quot; within SigNoz, embedding a \u003ccode\u003eref\u003c/code\u003e parameter that points to an attacker-controlled domain.\u003c/li\u003e\n\u003cli\u003eThe attacker delivers this crafted URL to a target victim, typically via social engineering tactics such as phishing.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the malicious URL, which initiates the legitimate SigNoz SSO authentication flow.\u003c/li\u003e\n\u003cli\u003eThe victim successfully completes the SSO authentication process with their identity provider (e.g., Google, Okta).\u003c/li\u003e\n\u003cli\u003eUpon successful authentication, the SigNoz application, due to the open redirect vulnerability, redirects the victim's browser to the attacker-controlled domain specified in the \u003ccode\u003eref\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker's server captures the victim's session tokens (access and refresh tokens) that are sent during the redirection process, leading to session compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-63094 allows unauthenticated attackers to steal session tokens (both access and refresh tokens) from any user on affected SigNoz instances utilizing SSO. This compromises the integrity of user sessions, granting attackers unauthorized access to the victim's SigNoz environment. Depending on the privileges of the compromised account and the configuration of the SigNoz instance, attackers could view sensitive data, manipulate monitoring configurations, or potentially move laterally within the organization's infrastructure if SigNoz is integrated with other systems. The specific number of affected organizations or users is not disclosed, but any organization using SigNoz through version 0.133.0 with SSO enabled is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-63094 immediately by updating SigNoz to a version beyond 0.133.0 as soon as a fix is available from the vendor.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for any suspicious HTTP requests to the \u0026quot;unauthenticated sessions context endpoint\u0026quot; containing \u003ccode\u003eref\u003c/code\u003e parameters that point to unfamiliar or external domains, as this could indicate attempted exploitation.\u003c/li\u003e\n\u003cli\u003eImplement security awareness training for users to recognize and avoid phishing attempts involving suspicious login URLs, which is the primary delivery mechanism for this threat.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-17T15:18:56Z","date_published":"2026-07-17T15:18:56Z","id":"https://feed.craftedsignal.io/briefs/2026-07-signoz-open-redirect/","summary":"An open redirect vulnerability exists in SigNoz through version 0.133.0 within its SSO authentication flow, affecting instances configured with Google OAuth, SAML, or OIDC. Unauthenticated attackers can exploit this by crafting a login URL with a malicious `ref` parameter pointing to an attacker-controlled host. By delivering this crafted URL to a victim, attackers can steal the victim's access and refresh tokens upon successful SSO authentication, leading to session compromise.","title":"SigNoz Open Redirect Vulnerability Allows Session Token Theft (CVE-2026-63094)","url":"https://feed.craftedsignal.io/briefs/2026-07-signoz-open-redirect/"}],"language":"en","title":"CraftedSignal Threat Feed - SigNoz","version":"https://jsonfeed.org/version/1.1"}