PT-2026-60508 · Grafana · Grafana Oncall

·

CVE-2026-63087

·

Published

2026-07-16

·

Updated

2026-07-16

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Grafana OnCall versions prior to 1.16.12
Description An unauthenticated access issue exists where remote attackers can obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint. This is possible by using hardcoded default stack id and org id values found in the public source tree. Once the token is acquired, an attacker can authenticate against all internal API endpoints, create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token, and redirect OnCall-to-Grafana API calls to an attacker-controlled host by overwriting the grafana url and api token variables.
Recommendations Restrict network access to any remaining instances. Migrate off Grafana OnCall OSS.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-63087

Affected Products

Grafana Oncall