Splunk AI Toolkit
CVE-2026-20265
MEDIUM
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-exploitable by any authenticated low-privileged user; no scope change as impact is confined to Splunk data confidentiality with no integrity or availability effect.
Primary rating from Vendor (cisco).
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the "admin" or "power" Splunk roles could cause the Splunk AI Toolkit to make outbound requests over HTTP to a server that an attacker controls, which could allow for data exfiltration.
The vulnerability exists because of an insecure default domain allowlist in the Splunk AI Toolkit, which does not restrict outbound AI agent requests to approved external domains.
AnalysisAI
Outbound SSRF-class data exfiltration in Splunk AI Toolkit versions below 5.7.4 allows any low-privileged authenticated Splunk user - without admin or power roles - to redirect the AI agent's HTTP request mechanism to an attacker-controlled server. The root cause is an insecure default domain allowlist shipped with the toolkit that places no restrictions on which external domains the AI agent may contact. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid Splunk user account that does not hold the 'admin' or 'power' Splunk roles - any standard authenticated low-privilege user is sufficient. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.3 (medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N is broadly consistent with the described behavior: network-exploitable, low complexity, requiring only a standard authenticated Splunk account, with limited confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Splunk user with a standard low-privilege account (no admin or power role required) submits a crafted AI agent query that includes or references an attacker-controlled HTTP endpoint. The Splunk AI Toolkit, operating under its permissive default domain allowlist, makes an outbound HTTP request to the attacker's server - potentially including AI-processed Splunk data in the request payload or headers - allowing the attacker to capture the exfiltrated content from their server logs. … |
| Remediation | Upgrade the Splunk AI Toolkit to version 5.7.4 or later, which resolves this vulnerability by implementing a restrictive default domain allowlist that limits outbound AI agent requests to approved external domains. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attacker
Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to ex
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.
Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are
In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an u
In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to
Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.10
Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple bran
Arbitrary shell command execution in Splunk Enterprise and Cloud Platform allows authenticated users with the edit_cmd c
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today