CVE-2026-20252

Vulnerability

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user without 'admin' or 'power' roles can send server-side requests to arbitrary internal destinations via the Dashboard Studio PDF export feature. This is due to a prefix match bypass in trusted-domain validation and the PDF export service automatically following HTTP redirects without re-validation [1].

Exploitation

An attacker with low privileges, who does not hold the 'admin' or 'power' Splunk roles, can exploit this vulnerability by crafting a PDF export request that targets an internal destination. The vulnerability allows for bypassing domain validation using attacker-controlled subdomains and exploits the automatic following of HTTP redirects by the PDF export service without re-validation against the allowlist [1].

Impact

Successful exploitation allows an attacker to send server-side requests to arbitrary internal destinations. This can lead to information disclosure, potential manipulation of internal services, or other impacts depending on the internal network's configuration and the attacker's ability to reach specific endpoints. The scope of the compromise is limited to the Splunk server's network access [1].

Mitigation

Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Specific fixed versions for Splunk Cloud Platform include 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132 [1].