CVE-2026-20257

Vulnerability

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user can craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it. This is possible because classic dashboard panels do not fully validate style attribute values, allowing requests to reach external domains outside the configured Trusted Domains List [1].

Exploitation

Exploitation requires an attacker to phish a victim by tricking them into initiating a request within their browser. A low-privileged user, who does not hold the "admin" or "power" Splunk roles, must craft a malicious classic dashboard. The victim, a higher-privileged user, must then view this dashboard. The low-privileged user should not be able to exploit the vulnerability at will [1].

Impact

A successful exploitation allows a low-privileged user to exfiltrate sensitive data from the browser of a higher-privileged user. The scope of the compromise is limited to the data accessible within the victim's browser session and requires user interaction via phishing [1].

Mitigation

Splunk Enterprise should be upgraded to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk Cloud Platform instances are being actively monitored and patched. As a workaround, administrators can configure the Dashboards Trusted Domains List to restrict which external domains dashboards can load content from [1].