Description
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability.
Published: 2026-02-18
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Bypass of SPL safeguards for risky commands
Action: Patch
AI Analysis

Impact

An attacker with a low‑privilege account that lacks admin or power roles can exploit a path traversal flaw in Splunk Enterprise and Splunk Cloud Platform to inject a malicious SPL query into a custom data model. By doing so the SPL safeguards around risky commands are bypassed, allowing the attacker to execute commands that normally would be restricted. This could lead to unauthorized manipulation of data or further escalation of privileges.

Affected Systems

The vulnerability affects Splunk and its Cloud Platform. Splunk Enterprise releases older than version 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9 are susceptible, as are Splunk Cloud Platform releases older than 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122. All other enterprise and cloud versions are considered secure.

Risk and Exploitability

The CVSS score of 3.5 classifies the flaw as low severity, and the EPSS score of less than 1% indicates that exploitation is unlikely at current exposure levels. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access or a low‑privileged user’s ability to create data models, and it proceeds via a path‑traversal exploitation of the preloaded model loader. The path traversal and SPL injection jointly enable the bypass of command safeguards, providing the attacker a potential vector to execute risky commands and possibly gain elevated privileges.

Generated by OpenCVE AI on April 17, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to version 10.2.0 or higher, or 10.0.3 or higher, or 9.4.5 or higher, or 9.3.7 or higher, or 9.2.9 or higher; upgrade Splunk Cloud Platform to 10.1.2507.0 or higher, or 10.0.2503.9 or higher, or 9.3.2411.112 or higher, or 9.3.2408.122 or higher.
  • Restrict the ability to create custom data models to users with admin or power roles, or enforce security settings that block unsafe data models for low‑privileged accounts.
  • Monitor Splunk logs for path‑traversal attempts and anomalous data‑model creation events to detect and respond to potential exploitation.

Generated by OpenCVE AI on April 17, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Splunk splunk
Weaknesses CWE-22
CPEs cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*
cpe:2.3:a:splunk:splunk_cloud_platform:10.1.2507:*:*:*:*:*:*:*
Vendors & Products Splunk splunk

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 18 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability.
Title Risky Commands Safeguards Bypass through preloaded Data Models due to Path Traversal vulnerability in Splunk Enterprise
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

Splunk Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-02-18T17:55:22.684Z

Reserved: 2025-10-08T11:59:15.381Z

Link: CVE-2026-20137

cve-icon Vulnrichment

Updated: 2026-02-18T17:55:17.640Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T18:24:22.637

Modified: 2026-02-20T13:53:39.890

Link: CVE-2026-20137

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses