{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/oncall/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-63087"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Grafana OnCall"],"_cs_severities":["critical"],"_cs_tags":["unauthenticated-access","grafana","oncall","vulnerability","rce-potential"],"_cs_type":"advisory","_cs_vendors":["Grafana Labs"],"content_html":"\u003cp\u003eCVE-2026-63087 describes a critical unauthenticated access vulnerability present in Grafana OnCall versions up to 1.16.11. Remote attackers can exploit this flaw by sending a POST request to a specific internal plugin installation endpoint. The vulnerability hinges on the use of hardcoded default \u003ccode\u003estack_id\u003c/code\u003e and \u003ccode\u003eorg_id\u003c/code\u003e values, which are publicly available in the source code. Upon successful exploitation, attackers can acquire a valid \u003ccode\u003ePluginAuthToken\u003c/code\u003e, granting them authentication privileges to all internal API endpoints of the Grafana OnCall instance. This level of access permits a range of malicious activities, including the creation of arbitrary administrative users via the \u003ccode\u003euser-context header bootstrap path\u003c/code\u003e, revocation of legitimate plugin tokens, and the redirection of OnCall-to-Grafana API communications to an attacker-controlled server by manipulating the \u003ccode\u003egrafana_url\u003c/code\u003e and \u003ccode\u003eapi_token\u003c/code\u003e settings. This vulnerability presents a severe risk of complete system compromise and data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Grafana OnCall instance accessible via the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request targeting the internal plugin install endpoint of the Grafana OnCall application.\u003c/li\u003e\n\u003cli\u003eThe POST request includes the hardcoded default \u003ccode\u003estack_id\u003c/code\u003e and \u003ccode\u003eorg_id\u003c/code\u003e values in its body or query parameters, as specified in the public source code.\u003c/li\u003e\n\u003cli\u003eUpon processing the request, the vulnerable Grafana OnCall instance issues a valid \u003ccode\u003ePluginAuthToken\u003c/code\u003e to the attacker due to the unauthenticated access flaw.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the newly acquired \u003ccode\u003ePluginAuthToken\u003c/code\u003e to authenticate subsequent requests to internal Grafana OnCall API endpoints.\u003c/li\u003e\n\u003cli\u003eLeveraging this authenticated access, the attacker sends a crafted API request, utilizing the \u003ccode\u003euser-context header bootstrap path\u003c/code\u003e, to create a new administrative user with full privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker may optionally revoke the legitimate plugin token to hinder detection or recovery efforts.\u003c/li\u003e\n\u003cli\u003eFinally, the attacker modifies critical configuration settings, such as the \u003ccode\u003egrafana_url\u003c/code\u003e and \u003ccode\u003eapi_token\u003c/code\u003e, to redirect all Grafana OnCall-to-Grafana API communications to an attacker-controlled host, potentially leading to data interception or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-63087 grants attackers extensive control over the compromised Grafana OnCall instance. With a CVSS v3.1 Base Score of 9.8, the vulnerability poses a critical risk, enabling full system compromise. Attackers can create arbitrary administrator accounts, gaining complete access to sensitive data and functionality. They can also hijack critical API communication channels by redirecting them to their infrastructure, leading to data exfiltration, service disruption, or further lateral movement into connected Grafana environments. This could result in unauthorized access to monitoring data, altering alert configurations, and disrupting incident response workflows, severely impacting an organization's operational security and reliability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-63087 immediately by updating Grafana OnCall to version 1.16.12 or newer.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for unusual POST requests directed at internal plugin install endpoints on Grafana OnCall instances.\u003c/li\u003e\n\u003cli\u003eImplement monitoring of Grafana OnCall application logs for unexpected creation of administrative users or modification of critical configuration parameters like \u003ccode\u003egrafana_url\u003c/code\u003e and \u003ccode\u003eapi_token\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRestrict network access to Grafana OnCall internal API endpoints to only trusted sources and necessary services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-16T17:18:20Z","date_published":"2026-07-16T17:18:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-grafana-oncall-unauth-access/","summary":"A critical unauthenticated access vulnerability, CVE-2026-63087, in Grafana OnCall through version 1.16.11 allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to an internal plugin install endpoint using hardcoded default stack_id and org_id values, enabling authentication to all internal API endpoints, creation of arbitrary administrative users, and redirection of API calls to an attacker-controlled host.","title":"Grafana OnCall Unauthenticated Access Vulnerability (CVE-2026-63087)","url":"https://feed.craftedsignal.io/briefs/2026-07-grafana-oncall-unauth-access/"}],"language":"en","title":"CraftedSignal Threat Feed - Oncall","version":"https://jsonfeed.org/version/1.1"}