Horizon Alert
Summary of the vulnerability and why it matters
This advisory concerns a critical vulnerability in Grafana OnCall that allows unauthenticated remote attackers to obtain a valid PluginAuthToken. By leveraging this token, attackers can gain administrative control, create new admin users, revoke existing tokens, and redirect critical API calls to attacker-controlled systems, posing a significant risk to incident response operations.
- Unauthenticated attackers can gain full control.
- Affects incident response and critical system access.
- Confirm relevance and assess exposure immediately.
Attack Path
How an attacker could exploit the issue
An attacker can gain initial access by sending a specific request to an internal plugin installation endpoint. This request, which does not require authentication, exploits hardcoded values to obtain a valid token. With this token, the attacker can then access internal API endpoints, create new administrator accounts, and redirect sensitive API calls to their own systems.
- No authentication needed.
- Triggered via plugin install endpoint.
- Leads to full administrative control.
Live Threat
Current exploitation, exposure, and threat context
This vulnerability could allow an unauthenticated remote attacker to obtain a valid token, which grants access to internal API endpoints. This could enable an attacker to create administrative users, revoke legitimate tokens, and redirect API calls to an attacker-controlled host, potentially impacting service availability and integrity.
- System access and control.
- Unauthenticated token retrieval.
- Service disruption and unauthorized access.
Operational Fix
Recommended remediation, mitigation, and detection steps
The Grafana OnCall team, likely working with platform or infrastructure owners, should prioritize understanding the scope of this unauthenticated access vulnerability. The first practical step involves identifying all OnCall instances, confirming their exposure to the internet or untrusted networks, and then determining the business criticality of each instance to prioritize remediation efforts.
- Identify OnCall instance owners.
- Verify network exposure and critical systems.
- Coordinate vendor updates and patching schedules.