CVE-2026-63087

grafana-cold-storage · oncall

An unauthenticated access vulnerability in Grafana OnCall allows remote attackers to hijack plugin tokens, authenticate as administrators, and redirect API traffic to malicious hosts.

Executive summary

An unauthenticated vulnerability in Grafana OnCall allows remote attackers to fully compromise the system by hijacking authentication tokens and creating unauthorized administrative accounts.

Vulnerability

The application contains an unauthenticated endpoint that permits the retrieval of a valid PluginAuthToken using default identifier values. This allows an unauthenticated attacker to bypass authentication, gain administrative access, and manipulate system configurations.

Business impact

This vulnerability carries a CVSS score of 9.8, reflecting a critical risk to system integrity and confidentiality. Successful exploitation provides attackers with full administrative control, enabling them to alter system workflows, exfiltrate data, and redirect API calls to external malicious infrastructure.

Remediation

Immediate Action: Update grafana-cold-storage oncall to the latest available version beyond 1.16.11.

Proactive Monitoring: Monitor server logs for unexpected requests to the plugin install endpoint and the creation of new administrative users.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to block unauthorized access attempts to internal plugin installation and management endpoints.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of this unauthenticated remote code execution and administrative takeover risk, organizations must treat this as a high-priority update. Immediate patching is the only effective way to remediate the underlying logic flaw.