Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated network exploitation with hardcoded public constants gives PR:N/AC:L; token then compromises the linked Grafana org, so scope changes (S:C) with full C/I/A impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Grafana OnCall through 1.16.11 contains an unauthenticated access vulnerability that allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stack_id and org_id values present in the public source tree. Attackers can leverage the acquired token to authenticate against all internal API endpoints, create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token, and redirect OnCall-to-Grafana API calls to an attacker-controlled host by overwriting the organization's grafana_url and api_token.
Articles & Coverage 1
AnalysisAI
Authentication bypass in Grafana OnCall through 1.16.11 lets unauthenticated remote attackers mint a valid PluginAuthToken by POSTing to the internal plugin install endpoint with hardcoded default stack_id and org_id values exposed in the public source tree, then use that token to seize full control of the OnCall instance. With the token, an attacker can create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token to lock out operators, and redirect OnCall-to-Grafana API traffic to an attacker host by overwriting grafana_url and api_token. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the OnCall internal plugin install endpoint and knowledge of the default stack_id and org_id values - but those values are hardcoded constants present in the public source tree, so they are not a meaningful barrier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine high-priority issue rather than an inflated high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates an internet-reachable Grafana OnCall instance and sends an unauthenticated POST to the internal plugin install endpoint using the hardcoded default stack_id and org_id from the public source, receiving a valid PluginAuthToken in response. Using that token they create an Admin user through the user-context header bootstrap path and overwrite grafana_url/api_token to redirect OnCall-to-Grafana calls to their own host, harvesting credentials and controlling alerting. … |
| Remediation | No vendor-released patch version is identified in the available data, so 'No vendor-released patch identified at time of analysis' applies - do not assume absence of data means no fix exists; check the VulnCheck advisory (https://www.vulncheck.com/advisories/grafana-oncall-unauthenticated-token-hijack-via-plugin-install-endpoint) and the Grafana OnCall repository/release notes for an updated build past 1.16.11 and upgrade immediately once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: inventory all Grafana OnCall instances and identify those running version 1.16.11 or earlier; immediately restrict network access to the OnCall plugin installation endpoint to internal networks only and implement mandatory authentication checks at your reverse proxy or WAF layer. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The `Release PR Merged` workflow in the github repo taosdata/grafanaplugin is subject to a command injection vulnerabili
An issue was discovered in Grafana through 7.3.4, when integrated with Zabbix. Rated critical severity (CVSS 9.8), this
A signature verification vulnerability exists in crewjam/saml. Rated critical severity (CVSS 9.8), this vulnerability is
Grafana 2.x, 3.x, and 4.x before 4.6.4 and 5.x before 5.2.3 allows authentication bypass because an attacker can generat
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input.
Insertion of sensitive information in the centralized (Grafana) logging system in ProLion CryptoSpike 3.0.15P2 allows re
A cross-site scripting (XSS) vulnerability exists in Grafana caused by combining a client path traversal and open redire
The avatar feature in Grafana 3.0.1 through 7.0.1 has an SSRF Incorrect Access Control issue. Rated high severity (CVSS
Grafana is an open-source platform for monitoring and observability. Rated high severity (CVSS 7.5), this vulnerability
Grafana 8.4.3 allows unauthenticated access via (for example) a /dashboard/snapshot/*?orgId=0 URI. Rated high severity (
Grafana 8.4.3 allows reading files via (for example) a /dashboard/snapshot/%7B%7Bconstructor.constructor'/.. Rated high
Grafana is an open-source platform for monitoring and observability. Rated high severity (CVSS 7.5), this vulnerability
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44955
GHSA-whw8-2869-jf7j