Description
In Splunk SOAR (Security Orchestration, Automation, and Response) versions below 8.5.0, an unauthenticated attacker could inject American National Standards Institute (ANSI) escape codes into SOAR application log files through specially crafted HTTP request paths, which a terminal emulator might interpret when an administrator views the logs.<br><br>The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs.
Published: 2026-06-10
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw allows an unauthenticated attacker to inject ANSI escape codes into application log files by using malformed HTTP request paths. This injection, classified as CWE-117, means the logs are written with unescaped control characters that a terminal emulator interprets when an administrator opens the files. While the server does not execute arbitrary code, the injected codes could modify log display, trigger unintended terminal behavior, or create a denial‑of‑service situation for users reviewing the logs.

Affected Systems

Splunk SOAR – all versions earlier than 8.5.0 are vulnerable. The vulnerability affects the Splunk Security Orchestration, Automation, and Response platform; other Splunk products are not mentioned in the advisories.

Risk and Exploitability

The CVSS base score is 4.3, indicating moderate risk. No EPSS score is available, so the precise exploitation likelihood cannot be quantified, but the vulnerability requires unauthenticated access to the SOAR HTTP interface and only alters log content. The flaw is not listed in the CISA KEV catalog and no public exploits have been reported, which suggests a lower likelihood of active exploitation. However, because the injected escape characters can affect log visibility and potentially cause confusion, administrators should treat the issue as a moderate risk that could degrade operational visibility.

Generated by OpenCVE AI on June 10, 2026 at 19:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk SOAR to version 8.5.0 or later, which removes the uncontrolled logging of ANSI escape codes.
  • If an upgrade is not immediately possible, configure your deployment to strip ANSI escape codes from request paths before they are logged, using application or web‑server level input validation.
  • Ensure that log files are viewed only via terminals or viewers that ignore ANSI escape sequences, or use secure, controllable viewing environments to mitigate accidental terminal effects.

Generated by OpenCVE AI on June 10, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description In Splunk SOAR (Security Orchestration, Automation, and Response) versions below 8.5.0, an unauthenticated attacker could inject American National Standards Institute (ANSI) escape codes into SOAR application log files through specially crafted HTTP request paths, which a terminal emulator might interpret when an administrator views the logs.<br><br>The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs.
Title Log Injection through HTTP Request Paths in Splunk SOAR
Weaknesses CWE-117
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-10T18:23:13.215Z

Reserved: 2025-10-08T11:59:15.402Z

Link: CVE-2026-20260

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-10T18:16:41.643

Modified: 2026-06-10T18:36:19.463

Link: CVE-2026-20260

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T19:30:37Z

Weaknesses