CVE-2026-20259

Vulnerability

In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user with the edit_saved_search_owner capability can reassign saved search ownership to users outside their authorized scope due to a lack of access control on the ownership reassignment endpoint [1].

Exploitation

An attacker who holds a Splunk role with the edit_saved_search_owner capability can exploit this vulnerability. The attacker needs network access to the Splunk instance and does not require user interaction. The attacker can then use the ownership reassignment endpoint to change the owner of a saved search to an unauthorized user [1].

Impact

Successful exploitation allows an attacker to reassign saved search ownership to users outside their authorized scope. This could lead to unauthorized access or modification of saved searches, potentially impacting data confidentiality and integrity. The scope of the compromise is limited to the saved searches that the attacker can manipulate [1].

Mitigation

Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, or 10.0.7, or higher. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Specific affected and fix versions for Splunk Cloud Platform are also available [1]. No other mitigations or workarounds are listed in the available references.