The vulnerability stems from an insufficient access control check on the endpoint that handles ownership reassignment of saved searches. A role endowed with the capability edit_saved_search_owner can use this endpoint to transfer ownership to any other user, even those outside the role’s intended scope. This flaw, classified as CWE-284, provides an attacker who possesses the high‑privilege capability with a pathway to alter administrative privileges and access data not normally available under their rights.

Splunk Enterprise versions earlier than 10.2.4 and 10.0.7, and Splunk Cloud Platform versions earlier than 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131 are vulnerable.

The CVSS v3.1 score of 5.5 indicates moderate severity; the EPSS is not available, so the current exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that if an attacker has the edit_saved_search_owner permission, the lack of additional authorization checks on the reassignment endpoint could allow them to reassign ownership to users outside their authorized scope, potentially elevating their own privileges or granting elevated privileges to others. Because the flaw requires existing high‑privilege access, the threat is primarily to insider risk and privileged role creep rather than a broad external exploit.