Product
A critical unauthenticated access vulnerability, CVE-2026-63087, in Grafana OnCall through version 1.16.11 allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to an internal plugin install endpoint using hardcoded default stack_id and org_id values, enabling authentication to all internal API endpoints, creation of arbitrary administrative users, and redirection of API calls to an attacker-controlled host.