Skip to main content

Splunk Enterprise CVE-2026-20256

| EUVD-2026-36080 MEDIUM
Improper Input Validation (CWE-20)
2026-06-10 cisco GHSA-p326-4xf8-xp88
Authentication Bypass Splunk Splunk Enterprise Splunk Cloud Platform
5.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.7 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 20:01 EUVD
Analysis Generated
Jun 10, 2026 - 18:58 vuln.today

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes http:// and https:// schemes when checking for external URLs. Protocol-relative URLs such as //attacker.com bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.

AnalysisAI

Classic dashboard drill-down links in Splunk Enterprise and Splunk Cloud Platform can be weaponized by low-privileged authenticated users to silently redirect victims to attacker-controlled external sites, enabling data exfiltration. The flaw stems from an incomplete URL scheme validator that recognizes only 'http://' and 'https://' prefixes, allowing protocol-relative URLs like '//attacker.com' to bypass the external-navigation warning dialog entirely. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker authenticates as low-privileged Splunk user
Delivery
Creates or modifies classic dashboard with protocol-relative drill-down URL
Exploit
Victim opens or is directed to the malicious dashboard
Execution
Victim clicks drill-down link (no warning dialog shown)
Persist
Browser silently navigates to attacker-controlled external site
Impact
Sensitive data or credentials exfiltrated via attacker site
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: the attacker must hold a valid Splunk account that does not have the 'admin' or 'power' Splunk role (i.e., a low-privileged authenticated user, confirmed by CVSS PR:L); the classic dashboards feature must be in use (not the new dashboard framework); the attacker must be able to create or modify a classic dashboard containing a drill-down link; and a victim user must click that drill-down link (confirmed by CVSS UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.7 medium score reflects a balanced set of signals: network-accessible (AV:N), low complexity (AC:L), low privileges required (PR:L), high confidentiality impact (C:H), but critically gated by required user interaction (UI:R) and unchanged scope (S:U). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged Splunk user - for example, a read-only analyst account - creates or modifies a classic dashboard and inserts a drill-down link configured with a protocol-relative URL such as '//attacker.com/capture' instead of a legitimate internal destination. The attacker then shares the dashboard or waits for a higher-privileged user (such as an admin reviewing team dashboards) to click the link; because Splunk Web's external-navigation warning is never triggered, the victim's browser silently navigates to the attacker-controlled site, where credential harvesting, session token theft via referrer headers, or phishing payloads can be delivered. …
Remediation Upgrade Splunk Enterprise to version 10.2.4, 10.0.7, 9.4.12, or 9.3.13 depending on the active release branch in use - these are the minimum fixed versions confirmed by Splunk advisory SVD-2026-0606 (https://advisory.splunk.com/advisories/SVD-2026-0606). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-20253 CRITICAL
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-20258 HIGH
7.1 Jun 10

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below
CVE-2026-20254 MEDIUM
5.7 Jun 10

CSS injection in Splunk Enterprise and Splunk Cloud Platform classic dashboards enables credential and sensitive data ex
CVE-2026-20255 MEDIUM
5.7 Jun 10

Classic dashboard URL validation bypass in Splunk Enterprise and Splunk Cloud Platform enables low-privileged authentica

Share

CVE-2026-20256 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy