Skip to main content

Splunk Enterprise CVE-2026-20296

| EUVDEUVD-2026-44737 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-07-15 cisco GHSA-hxgj-4vg5-fpww
8.3
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
vuln.today AI
8.3 HIGH

CSRF uses the victim's session so PR:N with UI:R; network-reachable Web endpoint and simple forged GET give AV:N/AC:L; credential and data access yield C:H/I:H with limited A:L.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (cisco).

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
Jul 15, 2026 - 21:18 EUVD
Analysis Generated
Jul 15, 2026 - 17:50 vuln.today
CVE Published
Jul 15, 2026 - 17:18 cve.org
HIGH 8.3

DescriptionCVE.org

In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.7, 10.3.2512.16, 10.2.2510.18, and 10.1.2507.24, an attacker could trick a user that holds a role with the list_deployment_server capability into running arbitrary Search Processing Language (SPL) searches on their behalf as splunk-system-user, allowing for access to stored credentials and indexed data.<br><br>The vulnerability is possible because Deployment Server endpoints in Splunk Web do not validate Cross-Site Request Forgery (CSRF) tokens on GET requests, and caller-supplied input is not correctly neutralized before it is placed into an SPL search.

AnalysisAI

Cross-Site Request Forgery combined with SPL injection in Splunk Enterprise (below 10.4.1, 10.2.5, 10.0.8, 9.4.13) and Splunk Cloud Platform lets an attacker trick a logged-in user holding the list_deployment_server capability into unknowingly executing attacker-controlled Search Processing Language searches as the privileged splunk-system-user, exposing stored credentials and indexed data. The flaw stems from Deployment Server endpoints in Splunk Web accepting unvalidated GET requests without CSRF token checks and failing to neutralize caller input before it reaches an SPL search. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious page with forged GET
Delivery
Lure list_deployment_server user to page
Exploit
Browser submits request with victim session
Execution
CSRF bypasses token check on endpoint
Persist
Injected SPL runs as splunk-system-user
Impact
Exfiltrate stored credentials and indexed data

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim who is authenticated to Splunk Web with an active session and holds a role granting the list_deployment_server capability, and who is induced (UI:R) to load attacker-controlled content while that session is live. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, base 8.3 High) shows a network-reachable, low-complexity attack that needs no attacker privileges (PR:N) but does require user interaction (UI:R) - consistent with CSRF, where the attacker rides a victim's authenticated session rather than authenticating themselves. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious web page containing a forged GET request (e.g. an auto-loading image or link) targeting a vulnerable Deployment Server endpoint with injected SPL, then lures a Splunk operator who holds the list_deployment_server capability to visit it while logged into Splunk Web. …
Remediation Upgrade to a fixed release: Splunk Enterprise 10.4.1, 10.2.5, 10.0.8, or 9.4.13 (on the respective maintained branch); Splunk Cloud Platform is remediated in 10.5.2605.0, 10.4.2604.7, 10.3.2512.16, 10.2.2510.18, and 10.1.2507.24, which Splunk applies to managed Cloud tenants. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Splunk Enterprise and Cloud Platform deployments and determine their versions, then issue a security alert to users holding the list_deployment_server capability warning them not to click suspicious links or open unexpected documents. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Splunk

View all
CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2024-36985 HIGH POC
8.8 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe

CVE-2023-46214 HIGH POC
8.8 Nov 16

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la

CVE-2023-32707 HIGH POC
8.8 Jun 01

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,

CVE-2022-43571 HIGH POC
8.8 Nov 03

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t

CVE-2022-43567 HIGH POC
8.8 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c

CVE-2023-22934 HIGH POC
8.0 Feb 14

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets

CVE-2022-43566 HIGH POC
8.0 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more

CVE-2024-36991 HIGH POC
7.5 Jul 01

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t

CVE-2024-36990 MEDIUM POC
6.5 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a

CVE-2017-17067 CRITICAL
9.8 Nov 30

Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and

CVE-2013-6771 CRITICAL
9.3 Aug 07

Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr

Share

CVE-2026-20296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy