CVE-2026-7589
Description
A vulnerability was determined in ghantakiran splunk-mcp-integration up to 0b86b09d5e5adf0433acd43c975951224613a1a6. Impacted is the function create_csv_export of the file services/csv-export-service/app/api/v1/endpoints/csv_export.py of the component CSV Export. This manipulation of the argument job_name causes path traversal. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authenticated path traversal vulnerability in the CSV export service of ghantakiran's Splunk MCP Integration allows remote attackers to write arbitrary files outside the intended directory.
Vulnerability
Overview
The CSV export service in ghantakiran's Splunk MCP Integration contains a path traversal vulnerability (CWE-22/CWE-73) in the create_csv_export function. The function accepts a user-controlled job_name parameter and passes it to the CSV generator, which constructs the output filename by joining the sanitized job_name with a job ID and timestamp. However, only spaces are replaced in the job_name; forward slashes, backslashes, and path traversal sequences (e.g., ../) are not filtered. This allows an attacker to control the file path and write CSV export files outside the intended `CSVulnerability Overview
The CSV export service in ghantakiran's Splunk MCP Integration contains a path traversal vulnerability (CWE-22/CWE-73) in the create_csv_export function. The function accepts a user-controlled job_name parameter and passes it to the CSV generator, which constructs the output filename by joining the sanitized job_name with a job ID and timestamp. However, only spaces are replaced in the job_name; forward slashes, backslashes, and path traversal sequences (e.g., ../) are not filtered. This allows an attacker to control the file path and write CSV export files outside the intended CSV_OUTPUT_DIR [1][2].
Exploitation
The vulnerability is exploitable remotely via the authenticated POST endpoint /api/v1/export/. An attacker must have valid credentials to access the API, but no special privileges beyond that are required. By supplying a crafted job_name such as ../../../../tmp/csv_poc, the attacker can cause the background worker to create and write a CSV file to an arbitrary location on the server filesystem [2].
Impact
Successful exploitation allows an attacker to write arbitrary CSV files to locations outside the export directory. Depending on the server's file permissions and the content of the exported data, this could lead to overwriting sensitive files, planting malicious files (e.g., scripts in web-accessible directories), or causing denial of service by filling disk space. The impact is limited by the fact that the written content is CSV data from the export service, but the attacker controls the file name and path [2].
Mitigation
As of the publication date (May 1, 2026), no official fix has been released. The vendor was notified via an issue report but has not responded. The project uses continuous delivery with rolling releases, so no specific version details are available. Users should monitor the repository for updates and consider restricting access to the vulnerability publicly disclosed [1][2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.