CRITICAL
grafana-cold-storage
CVE published 2026-07-16
CVE-2026-63087
CVE-2026-63087 describes an unauthenticated access vulnerability in Grafana OnCall through 1.16.11. The vulnerability allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stack_id and org_id values present in the public source tree. Acquired tokens can be used to authenticate against internal API endpoints, crea [truncated]