Description
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.
Published: 2026-06-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An inadequate access‑control check on the Saved‑Search ownership reassignment endpoint allows a user with the edit_saved_search_owner capability to change ownership to any other user, including those outside the user’s authorized role. This flaw is classified as CWE‑284 and effectively permits a high‑privilege actor to elevate privileges or grant elevated privileges to others, potentially compromising data access and administrative functions.

Affected Systems

Splunk Enterprise versions earlier than 10.2.4 and 10.0.7 are vulnerable, as are Splunk Cloud Platform versions earlier than 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131.

Risk and Exploitability

The CVSS v3.1 score of 5.5 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation under current conditions. The vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be an insider or compromised privileged account; a user already possessing edit_saved_search_owner can reassign search ownership without further authorization checks, thereby achieving privilege escalation or unauthorized access to data.

Generated by OpenCVE AI on June 12, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to version 10.2.4 or 10.0.7 or later, and upgrade Splunk Cloud Platform to at least 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, or 9.3.2411.131
  • Remove the edit_saved_search_owner capability from all roles except those that require it for genuine administration, ensuring that only authorized administrators retain the ability to reassign search ownership
  • Enable audit logging for the ownership reassignment endpoint and regularly review role assignments and audit logs to detect any unauthorized changes

Generated by OpenCVE AI on June 12, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Splunk splunk
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*
Vendors & Products Splunk splunk

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.
Title Improper Access Control in Splunk Enterprise
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N'}


Subscriptions

Splunk Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-10T18:24:37.870Z

Reserved: 2025-10-08T11:59:15.401Z

Link: CVE-2026-20259

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-06-10T18:16:41.503

Modified: 2026-06-12T19:50:19.110

Link: CVE-2026-20259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T22:00:20Z

Weaknesses