A low‑privileged user who is not an admin or power role can exploit the Dashboard Studio PDF export to initiate HTTP requests to arbitrary internal resources. The flaw arises from a prefix‑match allowlist that can be subverted with attacker‑controlled subdomains and from the PDF export service following redirects without re‑validating the final target. This enables the attacker to exfiltrate internal data, access privileged services, or pivot within the network, potentially causing confidentiality, integrity, or availability impacts. The vulnerability is classified as CWE‑918.

The affected product families are Splunk Cloud Platform and Splunk Enterprise. Splunk Enterprise versions prior to 10.2.4, 10.0.7, 9.4.12, and 9.3.13 are vulnerable, as are Splunk Cloud Platform releases prior to 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132. Users with a low‑privilege role that does not hold the admin or power role must be considered at risk.

The CVSS score of 7.6 indicates a high risk of exploitation, though the EPSS score is not available, so the likelihood cannot be quantified precisely. The vulnerability is not currently listed in CISA's KEV catalog. The likely attack vector involves a compromised or malicious internal user accessing the Splunk UI, selecting the PDF export option, and specifying a malicious subdomain to trigger the SSRF. Once the redirect chain resolves to an internal target, the attacker can retrieve data or interact with internal services. Because any user with PDF export access can trigger the attack, the attack surface is broad within an organization that has deployed the vulnerable Splunk versions.