Skip to main content

Splunk SOAR CVE-2026-20260

| EUVDEUVD-2026-36087 MEDIUM
Improper Output Neutralization for Logs (CWE-117)
2026-06-10 cisco GHSA-7m5m-884p-fv5r
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 20:01 EUVD
Analysis Generated
Jun 10, 2026 - 19:02 vuln.today

DescriptionCVE.org

In Splunk SOAR (Security Orchestration, Automation, and Response) versions below 8.5.0, an unauthenticated attacker could inject American National Standards Institute (ANSI) escape codes into SOAR application log files through specially crafted HTTP request paths, which a terminal emulator might interpret when an administrator views the logs.<br><br>The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs.

AnalysisAI

ANSI escape code injection in Splunk SOAR versions below 8.5.0 allows an unauthenticated remote attacker to embed terminal control sequences into application log files via crafted HTTP request paths. When an administrator subsequently views those logs in a terminal emulator, the escape codes may be interpreted, enabling visual output manipulation such as overwriting displayed text, hiding log entries, or altering terminal state. No public exploit code has been identified at time of analysis, and exploitation requires administrator interaction with affected log output, keeping real-world risk moderate despite the low authentication barrier.

Technical ContextAI

Splunk SOAR is an enterprise security orchestration and automation platform. The vulnerability arises from CWE-117 (Improper Output Neutralization for Logs), where the application fails to strip or escape ANSI control sequences - character sequences beginning with ESC (0x1B) followed by bracket characters - from HTTP request path strings before writing them to application log files. Terminal emulators such as xterm, GNOME Terminal, and iTerm2 interpret these sequences to control cursor position, text color, and display formatting. An attacker controlling the request path can therefore inject sequences that, when rendered, may overwrite prior log lines, blank sections of the log, or alter terminal behavior for the viewing session. The affected CPE is cpe:2.3:a:splunk:splunk_soar:*:*:*:*:*:*:*:*, covering all Splunk SOAR versions prior to 8.5.0 across all platforms.

RemediationAI

The primary remediation is upgrading Splunk SOAR to version 8.5.0 or later, which introduces sanitization of control characters from HTTP request paths prior to log writes. The fix version of 8.5.0 is inferred from the description stating affected versions are 'below 8.5.0'; consult the official Splunk advisory at https://advisory.splunk.com/advisories/SVD-2026-0611 for confirmed patch release details and upgrade procedures. As a compensating control where immediate upgrade is not feasible, administrators should avoid reviewing SOAR application logs directly in terminal emulators; instead, use log management platforms (e.g., Splunk Enterprise, a SIEM) that render log content as plain text and strip or display raw escape sequences safely. Additionally, restricting network access to the SOAR HTTP interface to trusted IP ranges reduces the attacker's ability to inject malicious request paths. Note that these workarounds do not eliminate the injection path - they only reduce exposure by limiting log review in vulnerable contexts.

More in Splunk

View all
CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2024-36985 HIGH POC
8.8 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe

CVE-2023-46214 HIGH POC
8.8 Nov 16

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la

CVE-2023-32707 HIGH POC
8.8 Jun 01

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,

CVE-2022-43571 HIGH POC
8.8 Nov 03

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t

CVE-2022-43567 HIGH POC
8.8 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c

CVE-2023-22934 HIGH POC
8.0 Feb 14

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets

CVE-2022-43566 HIGH POC
8.0 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more

CVE-2024-36991 HIGH POC
7.5 Jul 01

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t

CVE-2024-36990 MEDIUM POC
6.5 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a

CVE-2017-17067 CRITICAL
9.8 Nov 30

Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and

CVE-2013-6771 CRITICAL
9.3 Aug 07

Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr

Share

CVE-2026-20260 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy