Skip to main content

Grafana OnCall EUVDEUVD-2026-44955

| CVE-2026-63087 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-07-16 VulnCheck GHSA-whw8-2869-jf7j
9.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
10.0 CRITICAL

Unauthenticated network exploitation with hardcoded public constants gives PR:N/AC:L; token then compromises the linked Grafana org, so scope changes (S:C) with full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 16, 2026 - 16:32 vuln.today
CVE Published
Jul 16, 2026 - 16:03 cve.org
CRITICAL 9.3

DescriptionCVE.org

Grafana OnCall through 1.16.11 contains an unauthenticated access vulnerability that allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stack_id and org_id values present in the public source tree. Attackers can leverage the acquired token to authenticate against all internal API endpoints, create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token, and redirect OnCall-to-Grafana API calls to an attacker-controlled host by overwriting the organization's grafana_url and api_token.

AnalysisAI

Authentication bypass in Grafana OnCall through 1.16.11 lets unauthenticated remote attackers mint a valid PluginAuthToken by POSTing to the internal plugin install endpoint with hardcoded default stack_id and org_id values exposed in the public source tree, then use that token to seize full control of the OnCall instance. With the token, an attacker can create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token to lock out operators, and redirect OnCall-to-Grafana API traffic to an attacker host by overwriting grafana_url and api_token. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Reach exposed OnCall install endpoint
Delivery
POST default stack_id/org_id unauthenticated
Exploit
Obtain valid PluginAuthToken
Install
Authenticate to internal API
C2
Create Admin user, revoke legit token
Execute
Overwrite grafana_url/api_token to attacker host
Impact
Hijack OnCall and redirect Grafana calls

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the OnCall internal plugin install endpoint and knowledge of the default stack_id and org_id values - but those values are hardcoded constants present in the public source tree, so they are not a meaningful barrier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine high-priority issue rather than an inflated high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-reachable Grafana OnCall instance and sends an unauthenticated POST to the internal plugin install endpoint using the hardcoded default stack_id and org_id from the public source, receiving a valid PluginAuthToken in response. Using that token they create an Admin user through the user-context header bootstrap path and overwrite grafana_url/api_token to redirect OnCall-to-Grafana calls to their own host, harvesting credentials and controlling alerting. …
Remediation No vendor-released patch version is identified in the available data, so 'No vendor-released patch identified at time of analysis' applies - do not assume absence of data means no fix exists; check the VulnCheck advisory (https://www.vulncheck.com/advisories/grafana-oncall-unauthenticated-token-hijack-via-plugin-install-endpoint) and the Grafana OnCall repository/release notes for an updated build past 1.16.11 and upgrade immediately once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all Grafana OnCall instances and identify those running version 1.16.11 or earlier; immediately restrict network access to the OnCall plugin installation endpoint to internal networks only and implement mandatory authentication checks at your reverse proxy or WAF layer. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-34111 CRITICAL POC
9.8 Jun 06

The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerabili

CVE-2022-26148 CRITICAL POC
9.8 Mar 21

An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. Rated critical severity (CVSS 9.8), this

CVE-2020-27846 CRITICAL POC
9.8 Dec 21

A signature verification vulnerability exists in crewjam/saml. Rated critical severity (CVSS 9.8), this vulnerability is

CVE-2018-15727 CRITICAL POC
9.8 Aug 29

Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generat

CVE-2024-9264 CRITICAL POC
9.4 Oct 18

The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input.

CVE-2023-36649 CRITICAL POC
9.1 Dec 12

Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows re

CVE-2025-4123 HIGH POC
7.6 May 22

A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redire

CVE-2020-13379 HIGH POC
8.2 Jun 03

The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. Rated high severity (CVSS

CVE-2023-1387 HIGH POC
7.5 Apr 26

Grafana is an open-source platform for monitoring and observability. Rated high severity (CVSS 7.5), this vulnerability

CVE-2022-32276 HIGH POC
7.5 Jun 17

Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. Rated high severity (

CVE-2022-32275 HIGH POC
7.5 Jun 06

Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. Rated high

CVE-2021-43798 HIGH POC
7.5 Dec 07

Grafana is an open-source platform for monitoring and observability. Rated high severity (CVSS 7.5), this vulnerability

Share

EUVD-2026-44955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy