CVE-2026-20256

Vulnerability

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a vulnerability exists in classic dashboards where the URL classifier only recognizes http:// and https:// schemes. Protocol-relative URLs like //attacker.com bypass this check, and Splunk Web does not display an external-navigation warning dialog to the victim [1].

Exploitation

A low-privileged user who does not possess the 'admin' or 'power' Splunk roles can exploit this vulnerability. By crafting a drill-down link within a classic dashboard to use a protocol-relative URL, the attacker can redirect a victim user to an external site controlled by the attacker. This redirection bypasses Splunk's built-in security checks for external URLs [1].

Impact

Successful exploitation allows for data exfiltration by redirecting a victim user to an attacker-controlled external site. The attacker can potentially capture sensitive information or credentials that the victim might enter on the redirected page. The scope of the compromise is limited to the actions of the victim user who clicks the malicious link [1].

Mitigation

Splunk Enterprise should be upgraded to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk Cloud Platform instances are being actively monitored and patched. As a workaround, administrators can configure the Dashboards Trusted Domains List to restrict external domains that dashboards can load content from, and review role-based access to restrict who can create and edit classic dashboards [1].