CVE-2026-20260

Vulnerability

In Splunk SOAR (Security Orchestration, Automation, and Response) versions prior to 8.5.0, an unauthenticated attacker can inject ANSI escape codes into application log files. This occurs because the application does not remove control characters from HTTP request paths before logging them, allowing specially crafted paths to be written to the logs [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests with paths containing ANSI escape codes. When an administrator views these logs using a terminal emulator, the escape codes may be interpreted, leading to the intended malicious effect [1].

Impact

Successful exploitation allows an attacker to inject arbitrary ANSI escape codes into Splunk SOAR application logs. When these logs are viewed in a terminal, these codes can be interpreted, potentially leading to visual manipulation or other unintended behaviors within the terminal session of the administrator viewing the logs. The exact impact depends on the terminal emulator's interpretation of the injected codes [1].

Mitigation

Upgrade Splunk SOAR to version 8.5.0 or later to address this vulnerability. Splunk is actively monitoring and patching Splunk SOAR on Splunk Cloud Platform instances. No specific workarounds are listed in the available references [1].