CVE-2026-63087

Source
https://cve.org/CVERecord?id=CVE-2026-63087
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-63087.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-63087
Published
2026-07-16T16:03:55.866Z
Modified
2026-07-18T03:47:36.520123223Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Grafana OnCall 1.16.11 Unauthenticated Token Hijack via Plugin Install Endpoint
Details

Grafana OnCall through 1.16.11 contains an unauthenticated access vulnerability that allows remote attackers to obtain a valid PluginAuthToken by sending a POST request to the internal plugin install endpoint using hardcoded default stackid and orgid values present in the public source tree. Attackers can leverage the acquired token to authenticate against all internal API endpoints, create arbitrary Admin users via the user-context header bootstrap path, revoke the legitimate plugin token, and redirect OnCall-to-Grafana API calls to an attacker-controlled host by overwriting the organization's grafanaurl and apitoken.

Database specific
{
    "cwe_ids": [
        "CWE-306"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/63xxx/CVE-2026-63087.json",
    "cna_assigner": "VulnCheck"
}
References

Affected packages

Git / github.com/grafana-cold-storage/oncall

Affected ranges

Type
GIT
Repo
https://github.com/grafana-cold-storage/oncall
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.16.11"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

oncall-1.*
oncall-1.0.1
oncall-1.0.10
oncall-1.0.11
oncall-1.0.12
oncall-1.0.2
oncall-1.0.4
oncall-1.0.5
oncall-1.0.6
oncall-1.0.8
oncall-1.0.9
oncall-1.1.0
oncall-1.1.19
oncall-1.1.20
oncall-1.1.21
oncall-1.1.22
oncall-1.1.23
oncall-1.1.24
oncall-1.1.26
oncall-1.1.27
oncall-1.1.28
oncall-1.1.29
oncall-1.1.31
oncall-1.1.32
oncall-1.1.33
oncall-1.1.34
oncall-1.1.35
oncall-1.1.36
oncall-1.1.37
oncall-1.1.38
oncall-1.1.39
oncall-1.1.40
oncall-1.1.41
oncall-1.10.0
oncall-1.10.1
oncall-1.10.2
oncall-1.10.3
oncall-1.10.4
oncall-1.10.5
oncall-1.10.6
oncall-1.11.0
oncall-1.11.1
oncall-1.11.2
oncall-1.11.3
oncall-1.11.5
oncall-1.12.0
oncall-1.12.1
oncall-1.13.0
oncall-1.13.1
oncall-1.13.10
oncall-1.13.11
oncall-1.13.2
oncall-1.13.3
oncall-1.13.4
oncall-1.13.5
oncall-1.13.6
oncall-1.13.7
oncall-1.13.8
oncall-1.13.9
oncall-1.14.0
oncall-1.14.1
oncall-1.14.3
oncall-1.14.4
oncall-1.15.0
oncall-1.15.2
oncall-1.15.3
oncall-1.15.4
oncall-1.15.5
oncall-1.15.6
oncall-1.16.0
oncall-1.16.1
oncall-1.16.4
oncall-1.16.5
oncall-1.2.1
oncall-1.2.10
oncall-1.2.11
oncall-1.2.12
oncall-1.2.13
oncall-1.2.14
oncall-1.2.15
oncall-1.2.16
oncall-1.2.17
oncall-1.2.19
oncall-1.2.2
oncall-1.2.21
oncall-1.2.22
oncall-1.2.23
oncall-1.2.24
oncall-1.2.26
oncall-1.2.27
oncall-1.2.28
oncall-1.2.3
oncall-1.2.30
oncall-1.2.31
oncall-1.2.32
oncall-1.2.33
oncall-1.2.34
oncall-1.2.35
oncall-1.2.36
oncall-1.2.4
oncall-1.2.40
oncall-1.2.41
oncall-1.2.42
oncall-1.2.44
oncall-1.2.46
oncall-1.2.5
oncall-1.2.6
oncall-1.2.7
oncall-1.2.8
oncall-1.2.9
oncall-1.3.0
oncall-1.3.1
oncall-1.3.10
oncall-1.3.100
oncall-1.3.101
oncall-1.3.102
oncall-1.3.104
oncall-1.3.105
oncall-1.3.106
oncall-1.3.108
oncall-1.3.109
oncall-1.3.11
oncall-1.3.110
oncall-1.3.111
oncall-1.3.112
oncall-1.3.113
oncall-1.3.114
oncall-1.3.115
oncall-1.3.116
oncall-1.3.117
oncall-1.3.118
oncall-1.3.12
oncall-1.3.13
oncall-1.3.14
oncall-1.3.15
oncall-1.3.17
oncall-1.3.18
oncall-1.3.19
oncall-1.3.2
oncall-1.3.20
oncall-1.3.21
oncall-1.3.22
oncall-1.3.23
oncall-1.3.24
oncall-1.3.25
oncall-1.3.26
oncall-1.3.27
oncall-1.3.28
oncall-1.3.29
oncall-1.3.3
oncall-1.3.30
oncall-1.3.31
oncall-1.3.32
oncall-1.3.33
oncall-1.3.34
oncall-1.3.35
oncall-1.3.37
oncall-1.3.38
oncall-1.3.39
oncall-1.3.4
oncall-1.3.41
oncall-1.3.42
oncall-1.3.43
oncall-1.3.45
oncall-1.3.5
oncall-1.3.59
oncall-1.3.6
oncall-1.3.60
oncall-1.3.61
oncall-1.3.62
oncall-1.3.63
oncall-1.3.64
oncall-1.3.7
oncall-1.3.75
oncall-1.3.76
oncall-1.3.77
oncall-1.3.78
oncall-1.3.79
oncall-1.3.8
oncall-1.3.80
oncall-1.3.81
oncall-1.3.82
oncall-1.3.83
oncall-1.3.84
oncall-1.3.85
oncall-1.3.86
oncall-1.3.9
oncall-1.3.90
oncall-1.3.91
oncall-1.3.92
oncall-1.3.93
oncall-1.3.94
oncall-1.3.95
oncall-1.3.96
oncall-1.3.97
oncall-1.3.98
oncall-1.3.99
oncall-1.4.0
oncall-1.4.1
oncall-1.4.2
oncall-1.4.3
oncall-1.4.4
oncall-1.4.5
oncall-1.4.6
oncall-1.4.7
oncall-1.5.0
oncall-1.5.1
oncall-1.5.3
oncall-1.5.4
oncall-1.5.5
oncall-1.6.0
oncall-1.6.1
oncall-1.6.2
oncall-1.7.1
oncall-1.7.2
oncall-1.8.0
oncall-1.8.1
oncall-1.8.10
oncall-1.8.11
oncall-1.8.12
oncall-1.8.13
oncall-1.8.2
oncall-1.8.3
oncall-1.8.4
oncall-1.8.5
oncall-1.8.6
oncall-1.8.7
oncall-1.8.8
oncall-1.8.9
oncall-1.9.0
oncall-1.9.1
oncall-1.9.10
oncall-1.9.11
oncall-1.9.12
oncall-1.9.13
oncall-1.9.15
oncall-1.9.16
oncall-1.9.17
oncall-1.9.18
oncall-1.9.19
oncall-1.9.2
oncall-1.9.20
oncall-1.9.21
oncall-1.9.22
oncall-1.9.23
oncall-1.9.24
oncall-1.9.25
oncall-1.9.29
oncall-1.9.3
oncall-1.9.30
oncall-1.9.31
oncall-1.9.4
oncall-1.9.5
oncall-1.9.6
oncall-1.9.7
oncall-1.9.8
oncall-1.9.9
v.*
v.1.1.27
v0.*
v0.0.71
v0.0.72
v0.0.73
v0.0.74
v0.0.75
v1.*
v1.0.0
v1.0.10
v1.0.12
v1.0.13
v1.0.15
v1.0.19
v1.0.2
v1.0.21
v1.0.22
v1.0.23
v1.0.24
v1.0.25
v1.0.26
v1.0.27
v1.0.28
v1.0.29
v1.0.3
v1.0.30
v1.0.31
v1.0.32
v1.0.33
v1.0.34
v1.0.35
v1.0.36
v1.0.37
v1.0.38
v1.0.39
v1.0.4
v1.0.40
v1.0.41
v1.0.42
v1.0.43
v1.0.44
v1.0.45
v1.0.46
v1.0.47
v1.0.48
v1.0.49
v1.0.5
v1.0.50
v1.0.51
v1.0.52
v1.0.6
v1.0.7
v1.0.8
v1.0.9
v1.1.0
v1.1.1
v1.1.10
v1.1.11
v1.1.12
v1.1.13
v1.1.14
v1.1.15
v1.1.16
v1.1.17
v1.1.18
v1.1.19
v1.1.2
v1.1.20
v1.1.21
v1.1.22
v1.1.23
v1.1.24
v1.1.25
v1.1.26
v1.1.27
v1.1.28
v1.1.29
v1.1.3
v1.1.30
v1.1.31
v1.1.32
v1.1.33
v1.1.34
v1.1.35
v1.1.36
v1.1.37
v1.1.38
v1.1.39
v1.1.4
v1.1.40
v1.1.41
v1.1.5
v1.1.6
v1.1.7
v1.1.8
v1.1.9
v1.10.0
v1.10.1
v1.10.2
v1.10.3
v1.10.4
v1.10.5
v1.10.6
v1.11.0
v1.11.1
v1.11.2
v1.11.3
v1.11.4
v1.11.5
v1.12.0
v1.12.1
v1.13.0
v1.13.1
v1.13.10
v1.13.11
v1.13.2
v1.13.3
v1.13.4
v1.13.5
v1.13.6
v1.13.7
v1.13.8
v1.13.9
v1.14.0
v1.14.1
v1.14.2
v1.14.3
v1.14.4
v1.15.0
v1.15.1
v1.15.2
v1.15.3
v1.15.4
v1.15.5
v1.15.6
v1.16.0
v1.16.1
v1.16.10
v1.16.11
v1.16.2
v1.16.3
v1.16.4
v1.16.5
v1.16.6
v1.16.9
v1.2.0
v1.2.1
v1.2.10
v1.2.11
v1.2.12
v1.2.13
v1.2.14
v1.2.15
v1.2.16
v1.2.17
v1.2.18
v1.2.2
v1.2.21
v1.2.22
v1.2.23
v1.2.24
v1.2.25
v1.2.26
v1.2.27
v1.2.29
v1.2.3
v1.2.30
v1.2.32
v1.2.33
v1.2.34
v1.2.35
v1.2.36
v1.2.37
v1.2.38
v1.2.39
v1.2.4
v1.2.40
v1.2.41
v1.2.42
v1.2.43
v1.2.44
v1.2.45
v1.2.46
v1.2.5
v1.2.6
v1.2.7
v1.2.8
v1.2.9
v1.3.0
v1.3.1
v1.3.10
v1.3.100
v1.3.101
v1.3.102
v1.3.103
v1.3.104
v1.3.105
v1.3.106
v1.3.107
v1.3.108
v1.3.109
v1.3.11
v1.3.110
v1.3.111
v1.3.112
v1.3.113
v1.3.114
v1.3.115
v1.3.116
v1.3.117
v1.3.118
v1.3.12
v1.3.13
v1.3.14
v1.3.15
v1.3.16
v1.3.17
v1.3.18
v1.3.2
v1.3.20
v1.3.21
v1.3.22
v1.3.23
v1.3.24
v1.3.25
v1.3.26
v1.3.27
v1.3.28
v1.3.29
v1.3.3
v1.3.30
v1.3.31
v1.3.32
v1.3.33
v1.3.34
v1.3.35
v1.3.36
v1.3.37
v1.3.38
v1.3.39
v1.3.4
v1.3.40
v1.3.41
v1.3.42
v1.3.43
v1.3.44
v1.3.45
v1.3.46
v1.3.47
v1.3.48
v1.3.49
v1.3.5
v1.3.50
v1.3.51
v1.3.52
v1.3.53
v1.3.54
v1.3.55
v1.3.56
v1.3.57
v1.3.58
v1.3.59
v1.3.6
v1.3.60
v1.3.61
v1.3.62
v1.3.63
v1.3.64
v1.3.65
v1.3.66
v1.3.67
v1.3.68
v1.3.69
v1.3.7
v1.3.70
v1.3.71
v1.3.72
v1.3.73
v1.3.74
v1.3.75
v1.3.76
v1.3.77
v1.3.78
v1.3.79
v1.3.8
v1.3.80
v1.3.81
v1.3.82
v1.3.83
v1.3.84
v1.3.86
v1.3.87
v1.3.88
v1.3.89
v1.3.9
v1.3.90
v1.3.91
v1.3.92
v1.3.95
v1.3.96
v1.3.97
v1.3.98
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.5.0
v1.5.1
v1.5.2
v1.5.3
v1.5.4
v1.5.5
v1.6.0
v1.6.1
v1.6.2
v1.7.0
v1.7.1
v1.7.2
v1.8.0
v1.8.1
v1.8.10
v1.8.11
v1.8.12
v1.8.13
v1.8.2
v1.8.3
v1.8.4
v1.8.5
v1.8.6
v1.8.7
v1.8.8
v1.8.9
v1.9.0
v1.9.1
v1.9.10
v1.9.11
v1.9.12
v1.9.13
v1.9.14
v1.9.15
v1.9.16
v1.9.17
v1.9.18
v1.9.19
v1.9.2
v1.9.20
v1.9.21
v1.9.22
v1.9.23
v1.9.24
v1.9.25
v1.9.26
v1.9.27
v1.9.28
v1.9.29
v1.9.3
v1.9.30
v1.9.31
v1.9.4
v1.9.5
v1.9.6
v1.9.7
v1.9.8
v1.9.9
v1.x.x

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-63087.json"