Skip to main content

Splunk Ai Toolkit

2 CVEs product

Monthly

CVE-2026-20266 CRITICAL Act Now

Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to execute arbitrary OS commands on the underlying Splunk Enterprise host. The flaw lives in the btool configuration helper, which builds shell command strings from dynamic parameters with shell interpretation enabled. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Command Injection Splunk Splunk Ai Toolkit
NVD
CVSS 3.1
9.1
EPSS
0.5%
CVE-2026-20265 MEDIUM This Month

Outbound SSRF-class data exfiltration in Splunk AI Toolkit versions below 5.7.4 allows any low-privileged authenticated Splunk user - without admin or power roles - to redirect the AI agent's HTTP request mechanism to an attacker-controlled server. The root cause is an insecure default domain allowlist shipped with the toolkit that places no restrictions on which external domains the AI agent may contact. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier makes it broadly relevant in enterprise Splunk deployments with many standard users.

Information Disclosure Splunk Splunk Ai Toolkit
NVD
CVSS 3.1
4.3
EPSS
0.2%
EPSS 0% CVSS 9.1
CRITICAL Act Now

Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to execute arbitrary OS commands on the underlying Splunk Enterprise host. The flaw lives in the btool configuration helper, which builds shell command strings from dynamic parameters with shell interpretation enabled. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Command Injection Splunk Splunk Ai Toolkit
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Outbound SSRF-class data exfiltration in Splunk AI Toolkit versions below 5.7.4 allows any low-privileged authenticated Splunk user - without admin or power roles - to redirect the AI agent's HTTP request mechanism to an attacker-controlled server. The root cause is an insecure default domain allowlist shipped with the toolkit that places no restrictions on which external domains the AI agent may contact. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the low privilege barrier makes it broadly relevant in enterprise Splunk deployments with many standard users.

Information Disclosure Splunk Splunk Ai Toolkit
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy