PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-63087 grafana-cold-storage CVE debrief

CVE-2026-63087 describes an unauthenticated access vulnerability in Grafana OnCall through 1.16.11. The vulnerability allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stack_id and org_id values present in the public source tree. Acquired tokens can be used to authenticate against internal API endpoints, create Admin users, revoke legitimate plugin tokens, and redirect OnCall-to-Grafana API calls. This vulnerability has a CVSS score of 9.3 and is considered CRITICAL. Users of Grafana OnCall versions up to 1.16.11 should prioritize patching this vulnerability.

Vendor
grafana-cold-storage
Product
oncall
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of Grafana OnCall versions up to 1.16.11 should prioritize patching this vulnerability. Security teams and administrators responsible for Grafana OnCall installations need to assess their exposure and take immediate action. This includes reviewing and restricting access to the internal plugin install endpoint, monitoring for suspicious activity related to PluginAuthToken usage, and implementing additional authentication mechanisms for API endpoints.

Technical summary

The vulnerability in Grafana OnCall allows attackers to obtain a valid PluginAuthToken without authentication. This token can be used to access internal API endpoints, create Admin users, revoke legitimate tokens, and manipulate API call redirections. The attack involves sending a POST request to the plugin install endpoint with hardcoded stack_id and org_id values present in the public source tree. The vulnerability has a high impact on confidentiality, integrity, and availability, with a CVSS score of 9.3.

Defensive priority

Highest Priority Given the high CVSS score of 9.3 and the critical nature of this vulnerability, immediate action is required to patch Grafana OnCall installations and restrict access to the internal plugin install endpoint. Security teams should prioritize this vulnerability and allocate necessary resources for mitigation and verification efforts. This may involve conducting a thorough inventory of Grafana OnCall installations, reviewing system logs for suspicious activity, and implementing compensating controls for exposed systems while remediation is scheduled and verified. Additionally, defenders should verify that their Grafana OnCall installations are properly configured and that access to sensitive endpoints is restricted to authorized personnel only. The implementation of additional authentication mechanisms for API endpoints and the monitoring of PluginAuthToken usage are also crucial steps in mitigating this vulnerability. Given the potential for attackers to create Admin users and manipulate API call redirections, defenders must take a comprehensive approach to securing their Grafana OnCall installations and protecting against potential exploitation. This includes assigning an owner for follow-up, planning vendor-supported updates or mitigations, and tracking exceptions and retesting remediated assets to ensure that the vulnerability is properly addressed. The high defensive priority also necessitates the review of compensating controls for exposed systems, the checking of relevant monitoring, detection, and logs for exposed assets, and the documentation of evidence to support the closure of this vulnerability. Overall, the defensive priority for this vulnerability is the highest due to its critical nature, high impact, and potential for exploitation. Therefore, it is essential that defenders take immediate and comprehensive action to mitigate this vulnerability and protect their Grafana OnCall installations. The priority level is determined based on the CVSS score, the potential impact of the vulnerability, and the likelihood of exploitation. Given these factors, the defensive priority for CVE-2026-63087 is classified as 'Highest Priority', requiring

Recommended defensive actions

  • Patch Grafana OnCall to version 1.16.12 or later
  • Review and restrict access to the internal plugin install endpoint
  • Monitor for suspicious activity related to PluginAuthToken usage
  • Implement additional authentication mechanisms for API endpoints
  • Conduct a thorough inventory of Grafana OnCall installations and their exposure

Evidence notes

The CVE record was published on 2026-07-16T17:16:58.703Z and last modified on 2026-07-16T17:39:47.790Z. The NVD entry is currently Awaiting Analysis. Limited details are available about the specific affected versions and configurations beyond Grafana OnCall through 1.16.11. To verify exposure, defenders should review the official CVE record and assess their Grafana OnCall installations for potential vulnerability. Additional verification steps may include reviewing system logs for suspicious activity related to PluginAuthToken usage and ensuring that access to the internal plugin install endpoint is properly restricted.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:58.703Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.