Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.
Published: 2026-06-10
Score: 5.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A low‑privileged user that does not possess the admin or power roles can abuse a classic dashboard drill‑down link that contains a protocol‑relative URL (e.g., //attacker.com). The dashboard engine only validates http:// and https:// schemes; the protocol‑relative form bypasses this check, and Splunk Web does not show the external‑navigation warning dialog. When a victim clicks the link, the browser is redirected to the attacker’s site without the user’s knowledge, allowing the attacker to exfiltrate data or perform social‑engineering attacks. This flaw is a classic input‑validation error (CWE‑20).

Affected Systems

Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132 are affected. The vulnerability is present only in classic dashboard components of these products.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity. EPSS is not reported, so the current probability of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. Because the flaw can be triggered by any user that can create or modify a dashboard, the risk is significant in environments where dashboards are exposed to many users. An attacker would need only to add a malicious protocol‑relative link and lure a user to click it; no elevated privileges are required.

Generated by OpenCVE AI on June 10, 2026 at 19:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to version 10.2.4 or later and Splunk Cloud Platform to version 10.3.2512.13 or later.
  • If a patch cannot be applied immediately, restrict dashboard creation/modification rights to trusted users and enforce that drill‑down URLs explicitly use http:// or https:// schemes.
  • Validate custom drill‑down links during dashboard development to confirm that no protocol‑relative URLs are present.
  • Monitor user activity for unexpected redirects originating from dashboards and investigate any incidents promptly.

Generated by OpenCVE AI on June 10, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.
Title Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 5.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-10T18:19:26.044Z

Reserved: 2025-10-08T11:59:15.401Z

Link: CVE-2026-20256

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-10T18:16:41.133

Modified: 2026-06-10T18:36:19.463

Link: CVE-2026-20256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:30:37Z

Weaknesses