The Circuitry
THE CIRCUITRYYour one-stop source for all tech news
HOMETODAYNEWSFEEDEVENTS
BOOKMARKS
RSS
© 2026 The Circuitry
About UsSourcesContactCorrectionsPrivacy
  • Today
  • Feed
  • Events
  • Saved
Scroll for more
Verification
VERIFIEDConfidence: HIGH
Source identified
Claims cross-referenced
No discrepancies found
Fact-check summary

NVD published CVE-2026-63094 today on the SigNoz SSO open redirect flaw, matching the VulnCheck advisory and GitHub links.

Sourcing
1source

via NVD

NVD · track record
4Stories
75%Verified
430d
All sources →
Home/Tech/SigNoz 0.133.0 Open Redirect Lets Attackers Steal SSO Tokens
VERIFIEDBy Xavier Rivera· ·1 min read

SigNoz 0.133.0 Open Redirect Lets Attackers Steal SSO Tokens

SigNoz through 0.133.0 is affected by a reported open redirect in the SSO flow (referenced in NVD as CVE-2026-63094) that lets unauthenticated attackers steal access and refresh tokens from users on Google OAuth, SAML, or OIDC instances. The CVSS 3.1 score of 8.1 from VulnCheck marks it high severity and requires immediate patching on affected self-hosted deployments.

Source:NVD
Post
SigNoz 0.133.0 Open Redirect Lets Attackers Steal SSO Tokens
TL;DRAI · 60 sec read

SigNoz through version 0.133.0 contains an open redirect vulnerability in its SSO authentication flow. Unauthenticated attackers craft login URLs with a ref parameter that points to attacker-controlled hosts. Victims authenticating via Google OAuth, SAML, or OIDC then send their access and refresh tokens to the attacker. The flaw carries a CVSS 3.1 score of 8.1.

SigNoz through version 0.133.0 contains a high-severity open redirect vulnerability in its SSO authentication flow.

The flaw enables session token theft on configured instances. Unauthenticated attackers can exploit the vulnerability on deployments using Google OAuth, SAML, or OIDC. They call the unauthenticated sessions context endpoint with a ref parameter that points to an attacker-controlled host.
The flaw enables session token theft on configured instances.

The crafted login URL is then delivered to a victim. When the victim completes SSO authentication, the attacker receives the victim's access and refresh tokens.

CVSS scores rate the issue as high severity. The CVSS 3.1 base score stands at 8.1 with vector string AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. A separate CVSS 4.0 assessment from VulnCheck lists a base score of 7.6.
From The CircuitryThe Feed — live briefs across tech, all day.See what’s happening →

The vulnerability falls under CWE-601 for URL Redirection to Untrusted Site and CWE-345 for Insufficient Verification of Data Authenticity. Both classifications come from VulnCheck.
When the victim completes SSO authentication, the attacker receives the victim's access and refresh tokens.

Fixes and disclosure references are now public. The issue was published to the CVE List on July 17, 2026. Related links include a GitHub issue at https://github.com/SigNoz/signoz/issues/11746, a pull request at https://github.com/SigNoz/signoz/pull/11844, and a VulnCheck advisory at https://www.vulncheck.com/advisories/signoz-sso-oauth-state-manipulation-session-token-theft.
Affected versions run from 0.0 through 0.133.0 according to the semver range listed in the CVE record. The record notes that this CVE was received from VulnCheck on July 17, 2026 at 11:16:47 AM. No NVD-provided CVSS 4.0 vector is available yet.
Why this mattersAI · ~100 words

Tap a lens to see what this story means for you.

Reader-supported
DonateBuy me a coffee →Follow@thecircuitry_ →Follow@thecircuitry.to →

Reader-supported · The Brief

Liked this? The Brief brings you the whole day in tech, verified, every morning. Two minutes, free forever.

HELP US IMPROVE
From The Circuitry

See what’s happening right now

The Feed runs all day — short, verified briefs the moment they break.

Open the Feed →
From The Circuitry

Follow @thecircuitry_

Every story we publish, as it happens. No noise between.

Follow on X ↗On Bluesky ↗

Reader-supported

The Circuitry is a passion project I've always wanted to build, and I love the work behind it.

Running it costs real money. APIs, hosting, time. To keep improving the site and growing this into something useful for everyone, those costs have to be covered.

Any contribution is appreciated. If not, no pressure. Thanks for reading.

Buy me a coffee
vulnerabilitysecuritysso
More fromNVD
  • Critical Privilege Escalation Flaw Reported in WordPress Plugin Aimogen Pro

    Tech · 4h
  • Lenovo App Store Path Traversal Flaw Rated High Severity

    Tech · 1d
  • Critical RCE Flaw in Windows GDI+ Carries 9.6 CVSS Score

    Tech · 2d
More inTech
  • Critical Privilege Escalation Flaw Reported in WordPress Plugin Aimogen Pro

    Tech · 4h
  • OpenAI admits GPT-5.6 occasionally deletes files – but it's an 'honest mistake'

    Tech · 18h
  • Netflix Applied GenAI Workflows to Approximately 300 Shows and Films This Year

    Tech · 20h
SupportThe Work

The Circuitry is reader-supported. If you find the daily brief useful, you can buy me a coffee to keep it going.

Buy a coffee →
SubscribeCircuitry Brief

Liked this? The Brief brings you the whole day in tech, verified, every morning. Free forever.

MORE IN TECH

Critical Privilege Escalation Flaw Reported in WordPress Plugin Aimogen Pro

Aimogen Pro for WordPress through version 2.8.4 allows unauthenticated privilege escalation because the aiomatic_call_google_ai_function omits a capability check, letting attackers clear blacklists and run arbitrary PHP such as creating admin accounts. Wordfence rates it critical at CVSS 9.8; the CVE reached NVD on July 17, 2026.

OpenAI admits GPT-5.6 occasionally deletes files – but it's an 'honest mistake'

OpenAI has confirmed that GPT-5.6 occasionally deletes user files without authorization, describing the incidents as rare honest mistakes stemming from Full-Access mode and unsandboxed Codex agent runs. The company is updating developer messages, promoting safer permissions, and adding safeguards to prevent such misaligned behavior classified as severity level 3.

Netflix Applied GenAI Workflows to Approximately 300 Shows and Films This Year

Netflix has applied generative AI workflows to roughly 300 titles in 2026 so far, with the heaviest use in post-production. The update underscores the company's push toward faster, lower-cost production methods while still relying on human refinement.