Skip to main content

Splunk AI Toolkit CVE-2026-20265

MEDIUM
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-06-17 cisco
4.3
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-exploitable by any authenticated low-privileged user; no scope change as impact is confined to Splunk data confidentiality with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cisco).

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 18:10 vuln.today

DescriptionCVE.org

In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the "admin" or "power" Splunk roles could cause the Splunk AI Toolkit to make outbound requests over HTTP to a server that an attacker controls, which could allow for data exfiltration.

The vulnerability exists because of an insecure default domain allowlist in the Splunk AI Toolkit, which does not restrict outbound AI agent requests to approved external domains.

AnalysisAI

Outbound SSRF-class data exfiltration in Splunk AI Toolkit versions below 5.7.4 allows any low-privileged authenticated Splunk user - without admin or power roles - to redirect the AI agent's HTTP request mechanism to an attacker-controlled server. The root cause is an insecure default domain allowlist shipped with the toolkit that places no restrictions on which external domains the AI agent may contact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged Splunk user
Delivery
Access Splunk AI Toolkit feature
Exploit
Craft AI agent request targeting attacker-controlled domain
Execution
Toolkit makes unrestricted outbound HTTP request
Impact
Attacker server receives and logs exfiltrated data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid Splunk user account that does not hold the 'admin' or 'power' Splunk roles - any standard authenticated low-privilege user is sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.3 (medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is broadly consistent with the described behavior: network-exploitable, low complexity, requiring only a standard authenticated Splunk account, with limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Splunk user with a standard low-privilege account (no admin or power role required) submits a crafted AI agent query that includes or references an attacker-controlled HTTP endpoint. The Splunk AI Toolkit, operating under its permissive default domain allowlist, makes an outbound HTTP request to the attacker's server - potentially including AI-processed Splunk data in the request payload or headers - allowing the attacker to capture the exfiltrated content from their server logs. …
Remediation Upgrade the Splunk AI Toolkit to version 5.7.4 or later, which resolves this vulnerability by implementing a restrictive default domain allowlist that limits outbound AI agent requests to approved external domains. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Splunk

View all
CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-7589 MEDIUM POC
5.5 May 01

Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attacker

CVE-2026-20266 CRITICAL
9.1 Jun 17

Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to ex

CVE-2025-20229 HIGH
8.0 Mar 26

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.

CVE-2025-20298 HIGH
8.0 Jun 02

Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are

CVE-2025-20387 HIGH
8.0 Dec 03

In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an u

CVE-2025-20386 HIGH
8.0 Dec 03

In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to

CVE-2026-20252 HIGH
7.6 Jun 10

Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a

CVE-2025-20371 HIGH
7.5 Oct 01

In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.10

CVE-2026-20239 HIGH
7.5 May 20

Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple bran

CVE-2026-20163 HIGH
7.2 Mar 11

Arbitrary shell command execution in Splunk Enterprise and Cloud Platform allows authenticated users with the edit_cmd c

Share

CVE-2026-20265 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy