CVE-2026-63087
Awaiting Analysis Awaiting Analysis - Queue

Unauthenticated Access in Grafana OnCall Leading to Admin Takeover

Vulnerability report for CVE-2026-63087, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: VulnCheck

Description

Grafana OnCall through 1.16.11 contains an unauthenticated access vulnerability that allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stack_id and org_id values present in the public source tree. Attackers can leverage the acquired token to authenticate against all internal API endpoints, create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token, and redirect OnCall-to-Grafana API calls to an attacker-controlled host by overwriting the organization's grafana_url and api_token.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
grafana oncall to 1.16.11 (inc)
grafana grafana_oncall 1.16.11

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-63087 is a critical unauthenticated access vulnerability in Grafana OnCall OSS deployments. It allows remote attackers to exploit the /api/internal/v1/plugin/v2/install/ endpoint, which lacks authentication checks. By using hardcoded default values (stack_id=5, org_id=100), attackers can send a POST request to obtain a valid PluginAuthToken. This token enables full administrative control over the OnCall organization, including creating admin users, revoking legitimate tokens, and modifying integrations.

Detection Guidance

Check for unauthorized POST requests to the /api/internal/v1/plugin/v2/install/ endpoint with default stack_id=5 and org_id=100. Monitor logs for unexpected admin token generation or modifications to grafana_url and api_token.

Impact Analysis

If exploited, this vulnerability allows attackers to gain full administrative access to your Grafana OnCall instance. They can create arbitrary admin users, revoke legitimate plugin tokens, and redirect API calls to malicious servers. This could lead to data breaches, unauthorized access to sensitive information, and complete system compromise. The impact is severe due to the lack of required authentication.

Compliance Impact

This vulnerability likely violates compliance requirements for GDPR and HIPAA due to unauthorized access risks. GDPR mandates strict data protection and access controls, while HIPAA requires safeguards for protected health information. Exploitation could lead to unauthorized data exposure, violating these regulations and potentially resulting in legal penalties, fines, and reputational damage.

Mitigation Strategies

Restrict access to the engine HTTP port to trusted sources only. Deploy an authenticating proxy to block unauthorized access to the vulnerable endpoint. Since no patch is available, isolation is critical.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-63087. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart