CVE-2026-20254

Vulnerability

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user can craft a malicious classic dashboard. This dashboard can exfiltrate sensitive data to an external server when a higher-privileged user views it, bypassing external content restrictions through a Cascading Style Sheets (CSS) injection. The Trusted Domains security check does not fully validate inline style attribute values [1].

Exploitation

A low-privileged user, who does not hold the 'admin' or 'power' Splunk roles, needs to craft a malicious classic dashboard. This dashboard, when viewed by a higher-privileged user, can trigger the vulnerability. The attacker needs to be able to create or edit classic dashboards [1].

Impact

An attacker can exfiltrate sensitive data to an external server by tricking a higher-privileged user into viewing a crafted dashboard. This bypasses the external content restriction, potentially leading to credential exfiltration [1].

Mitigation

Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Specific affected and fixed versions for both products are detailed in the advisory. Mitigations include configuring the Dashboards Trusted Domains List to restrict external domains and reviewing role permissions for creating and editing classic dashboards [1].