Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Lifecycle Timeline
3DescriptionNVD
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature.
The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.
AnalysisAI
Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a low-privileged authenticated user coerce the Dashboard Studio PDF export feature into issuing HTTP requests to arbitrary internal destinations. The flaw stems from a flawed prefix-match on trusted domains plus uncritical redirect-following by the PDF export service. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have valid authenticated credentials for the Splunk instance (any role that can use Dashboard Studio is sufficient - the 'admin' and 'power' roles are explicitly NOT required), and the target deployment must have the Dashboard Studio PDF export feature enabled and reachable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS v3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L yields 7.6 (High), reflecting network reach, low complexity, no user interaction, and high confidentiality impact - typical for SSRF that can reach cloud metadata or internal admin APIs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker phishes or otherwise obtains credentials for any low-privileged Splunk user (not admin or power). They craft a Dashboard Studio dashboard whose PDF export pulls a resource from a hostname like 'docs.splunk.com.attacker.tld' - which passes the prefix-match check - and which responds with a 302 redirect to http://169.254.169.254/latest/meta-data/iam/security-credentials/, causing the export service to fetch cloud instance metadata and expose the rendered response (or its side effects) back to the attacker. |
| Remediation | Vendor-released patch: upgrade Splunk Enterprise to 10.2.4, 10.0.7, 9.4.12, or 9.3.13 (or later in each respective branch), per SVD-2026-0602 at https://advisory.splunk.com/advisories/SVD-2026-0602; Splunk Cloud Platform customers should ensure their tenant is on 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, or 9.3.2411.132 or later (cloud upgrades are typically managed by Splunk). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attacker
Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to ex
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.
Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are
In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an u
In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.10
Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple bran
Arbitrary shell command execution in Splunk Enterprise and Cloud Platform allows authenticated users with the edit_cmd c
In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk S
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36086
GHSA-6722-h93g-5wxq