Back to overview

CVE-2026-20296

HIGH
8.3
CVSS 3.1
Description
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.7, 10.3.2512.16, 10.2.2510.18, and 10.1.2507.24, an attacker could trick a user that holds a role with the `list_deployment_server` capability into running arbitrary Search Processing Language (SPL) searches on their behalf as `splunk-system-user`, allowing for access to stored credentials and indexed data.<br><br>The vulnerability is possible because Deployment Server endpoints in Splunk Web do not validate Cross-Site Request Forgery (CSRF) tokens on GET requests, and caller-supplied input is not correctly neutralized before it is placed into an SPL search.

Metadata

CVE ID
CVE-2026-20296
State
PUBLISHED
Assigner
cisco
Reserved
2025-10-08 11:59 UTC
Published
2026-07-15 17:18 UTC
Last updated
2026-07-15 18:10 UTC
Primary CWE
CWE-352
The web application does not, or can not, sufficiently verif…
Vendor / Product
Splunk / Splunk Enterprise
Sources
cve.org  ·  NVD

Severity & Metrics

8.3 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (2)
VendorProductPlatformVersions
Splunk Splunk Cloud Platform 10.5.2605 < 10.5.2605.0, 10.4.2604 < 10.4.2604.7, 10.3.2512 < 10.3.2512.16, 10.2.2510 < 10.2.2510.18 …
Splunk Splunk Enterprise 10.4 < 10.4.1, 10.2 < 10.2.5, 10.0 < 10.0.8, 9.4 < 9.4.13
Weakness (CWE)
CWESourceDescription
CWE-352 cna The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.3 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
Back to overview