External risk intelligence

Grafana OnCall Unauthenticated Token and Admin Access Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-63087

Grafana OnCall manages incident response and requires network accessibility for integrations. The vulnerability exists in an API endpoint used for plugin installation. Because this functional component is reachable in standard operational environments and the exploit relies on hardcoded values publicly available in the source tree, the surface for unauthenticated exploitation is significant.

Missing Authentication

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Grafana OnCall that allows unauthenticated remote attackers to obtain a valid PluginAuthToken. By leveraging this token, attackers can gain administrative control, create new admin users, revoke existing tokens, and redirect critical API calls to attacker-controlled systems, posing a significant risk to incident response operations.

  • Unauthenticated attackers can gain full control.
  • Affects incident response and critical system access.
  • Confirm relevance and assess exposure immediately.

Attack Path

How an attacker could exploit the issue

An attacker can gain initial access by sending a specific request to an internal plugin installation endpoint. This request, which does not require authentication, exploits hardcoded values to obtain a valid token. With this token, the attacker can then access internal API endpoints, create new administrator accounts, and redirect sensitive API calls to their own systems.

  • No authentication needed.
  • Triggered via plugin install endpoint.
  • Leads to full administrative control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated remote attacker to obtain a valid token, which grants access to internal API endpoints. This could enable an attacker to create administrative users, revoke legitimate tokens, and redirect API calls to an attacker-controlled host, potentially impacting service availability and integrity.

  • System access and control.
  • Unauthenticated token retrieval.
  • Service disruption and unauthorized access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Grafana OnCall team, likely working with platform or infrastructure owners, should prioritize understanding the scope of this unauthenticated access vulnerability. The first practical step involves identifying all OnCall instances, confirming their exposure to the internet or untrusted networks, and then determining the business criticality of each instance to prioritize remediation efforts.

  • Identify OnCall instance owners.
  • Verify network exposure and critical systems.
  • Coordinate vendor updates and patching schedules.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Grafana OnCall?

Grafana OnCall is a specialized tool used by engineering and operations teams to manage incident response, on-call rotations, and alerting workflows. It integrates with various monitoring systems to ensure technical teams are notified when services experience issues, serving as a critical hub for maintaining system reliability and communication during infrastructure outages.

What is the weakness class for CVE-2026-63087?

This vulnerability is classified as CWE-306, which refers to Missing Authentication for Critical Function. In simple terms, the software allows sensitive actions—like installing plugins or managing administrative settings—to be performed without verifying the user's identity. Because the system fails to require a password or token for these specific API requests, an attacker can interact with the service as if they were a trusted administrator.

How is this vulnerability triggered?

The issue is triggered when an attacker sends a specially crafted POST request to the internal plugin installation endpoint. This request succeeds because it utilizes hardcoded, default identifiers that are publicly discoverable in the source code. It is important to note that the vulnerability is not triggered by standard usage or legitimate administrative actions; it specifically requires the targeted, unauthenticated abuse of this configuration endpoint to obtain a valid access token.

Why does Halo Surface Signal categorize this as highly relevant?

Halo Surface Signal flags this as highly relevant because Grafana OnCall is designed for network integration, meaning its API endpoints are often reachable within operational environments. Since the flaw requires no authentication and relies on publicly known hardcoded values, any instance that is reachable from a network—especially those exposed to the internet—faces a significant risk of unauthorized access and administrative takeover.

Do I need to take action to protect my Grafana OnCall instances?

Yes. First, you should identify all active OnCall instances within your organization and confirm their current network exposure. Prioritize identifying if any are accessible from the public internet or untrusted networks. Once identified, work with your infrastructure or platform teams to assess the business criticality of those systems and coordinate the necessary vendor updates to patch this access vulnerability.

References