PatchSiren

grafana-cold-storage CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL grafana-cold-storage CVE published 2026-07-16

CVE-2026-63087

CVE-2026-63087 describes an unauthenticated access vulnerability in Grafana OnCall through 1.16.11. The vulnerability allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stack_id and org_id values present in the public source tree. Acquired tokens can be used to authenticate against internal API endpoints, crea [truncated]