Skip to main content

Splunk Enterprise CVE-2026-20252

| EUVDEUVD-2026-36086 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-10 cisco GHSA-6722-h93g-5wxq
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
CVE Published
Jun 22, 2026 - 06:03 cve.org
HIGH 7.6
Patch available
Jun 10, 2026 - 20:01 EUVD
Analysis Generated
Jun 10, 2026 - 18:34 vuln.today

DescriptionNVD

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature.

The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.

AnalysisAI

Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a low-privileged authenticated user coerce the Dashboard Studio PDF export feature into issuing HTTP requests to arbitrary internal destinations. The flaw stems from a flawed prefix-match on trusted domains plus uncritical redirect-following by the PDF export service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Splunk credentials
Delivery
Create Dashboard Studio dashboard with crafted resource URL
Exploit
Trigger PDF export to bypass prefix-match allowlist or chain HTTP redirect
Execution
Splunk export service issues request to internal target
Persist
Retrieve cloud metadata or internal service response
Impact
Exfiltrate credentials or sensitive internal data

Vulnerability AssessmentAI

Exploitation The attacker must have valid authenticated credentials for the Splunk instance (any role that can use Dashboard Studio is sufficient - the 'admin' and 'power' roles are explicitly NOT required), and the target deployment must have the Dashboard Studio PDF export feature enabled and reachable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L yields 7.6 (High), reflecting network reach, low complexity, no user interaction, and high confidentiality impact - typical for SSRF that can reach cloud metadata or internal admin APIs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker phishes or otherwise obtains credentials for any low-privileged Splunk user (not admin or power). They craft a Dashboard Studio dashboard whose PDF export pulls a resource from a hostname like 'docs.splunk.com.attacker.tld' - which passes the prefix-match check - and which responds with a 302 redirect to http://169.254.169.254/latest/meta-data/iam/security-credentials/, causing the export service to fetch cloud instance metadata and expose the rendered response (or its side effects) back to the attacker.
Remediation Vendor-released patch: upgrade Splunk Enterprise to 10.2.4, 10.0.7, 9.4.12, or 9.3.13 (or later in each respective branch), per SVD-2026-0602 at https://advisory.splunk.com/advisories/SVD-2026-0602; Splunk Cloud Platform customers should ensure their tenant is on 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, or 9.3.2411.132 or later (cloud upgrades are typically managed by Splunk). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Splunk

View all
CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-7589 MEDIUM POC
5.5 May 01

Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attacker

CVE-2026-20266 CRITICAL
9.1 Jun 17

Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to ex

CVE-2025-20229 HIGH
8.0 Mar 26

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.

CVE-2025-20298 HIGH
8.0 Jun 02

Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are

CVE-2025-20387 HIGH
8.0 Dec 03

In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an u

CVE-2025-20386 HIGH
8.0 Dec 03

In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to

CVE-2025-20371 HIGH
7.5 Oct 01

In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.10

CVE-2026-20239 HIGH
7.5 May 20

Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple bran

CVE-2026-20163 HIGH
7.2 Mar 11

Arbitrary shell command execution in Splunk Enterprise and Cloud Platform allows authenticated users with the edit_cmd c

CVE-2025-20231 HIGH
7.1 Mar 26

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk S

Share

CVE-2026-20252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy