SYS::ONLINE
Wasteland.
Briefs1223
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-63087 2026-07-16

CVE-2026-63087: Unauthenticated Token Hijack in Grafana OnCall

"A critical unauthenticated flaw in Grafana OnCall (through 1.16.11) lets remote attackers mint a valid plugin auth token and seize full administrative control of the internal API."

A critical unauthenticated flaw in Grafana OnCall (through 1.16.11) lets remote attackers mint a valid plugin auth token and seize full administrative control of the internal API.

What Is It

CVE-2026-63087 is a missing-authentication vulnerability (CWE-306) in Grafana OnCall through version 1.16.11. A remote attacker can obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stack_id and org_id values that are present in the public source tree. No authentication, privileges, or user interaction are required.

Why It Matters

The acquired token authenticates against all internal API endpoints. From there, an attacker can create arbitrary Admin users through the user-context header bootstrap path, revoke the legitimate plugin token, and redirect OnCall-to-Grafana API calls to an attacker-controlled host by overwriting the organization's grafana_url and api_token. This yields full confidentiality, integrity, and availability impact.

The flaw carries a CVSS 3.1 base score of 9.8 (Critical) with a network attack vector and low attack complexity, and a CVSS 4.0 score of 9.3 (Critical). The combination of unauthenticated network access and complete admin takeover makes exploitation straightforward and high-impact.

What's Vulnerable

The CVE record is tagged unsupported-when-assigned, indicating the affected software was not under active support at the time of assignment.

Patch Status

The supplied source material does not include a CISA KEV entry for this CVE, so there is no confirmation of active exploitation and no federally mandated remediation deadline in the data provided. The NVD record is in "Awaiting Analysis" status and lists no vendor patch, fixed version, or remediation action. Given the unsupported-when-assigned tag, organizations should treat exposed OnCall instances as unpatchable and restrict or decommission internet-facing deployments accordingly.

Sources