CVE-2026-63087
grafana-cold-storage · oncall
An unauthenticated access vulnerability in Grafana OnCall allows remote attackers to hijack plugin tokens, authenticate as administrators, and redirect API traffic to malicious hosts.
Executive summary
An unauthenticated vulnerability in Grafana OnCall allows remote attackers to fully compromise the system by hijacking authentication tokens and creating unauthorized administrative accounts.
Vulnerability
The application contains an unauthenticated endpoint that permits the retrieval of a valid PluginAuthToken using default identifier values. This allows an unauthenticated attacker to bypass authentication, gain administrative access, and manipulate system configurations.
Business impact
This vulnerability carries a CVSS score of 9.8, reflecting a critical risk to system integrity and confidentiality. Successful exploitation provides attackers with full administrative control, enabling them to alter system workflows, exfiltrate data, and redirect API calls to external malicious infrastructure.
Remediation
Immediate Action: Update grafana-cold-storage oncall to the latest available version beyond 1.16.11.
Proactive Monitoring: Monitor server logs for unexpected requests to the plugin install endpoint and the creation of new administrative users.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to block unauthorized access attempts to internal plugin installation and management endpoints.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of this unauthenticated remote code execution and administrative takeover risk, organizations must treat this as a high-priority update. Immediate patching is the only effective way to remediate the underlying logic flaw.