CVE-2026-20255

Vulnerability

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a vulnerability exists in the URL validation for the external content dialog within classic dashboards. This allows a low-privileged user to craft a malicious dashboard that can send requests to untrusted domains [1].

Exploitation

An attacker with low privileges, who does not possess 'admin' or 'power' Splunk roles, can create a malicious classic dashboard. When a user interacts with this crafted dashboard, the incomplete URL validation allows requests to be sent to an external server, potentially exfiltrating sensitive data [1].

Impact

Successful exploitation allows a low-privileged user to exfiltrate sensitive data from Splunk to an external server. The scope of the compromise is limited to the data accessible through the crafted dashboard and the user's privileges [1].

Mitigation

Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk Cloud Platform instances are being patched. Workarounds include configuring the Dashboards Trusted Domains List to restrict external domains and reviewing role permissions for creating and editing classic dashboards [1].