VYPR
patchPublished Jul 16, 2026· 1 source

Multiple Splunk Enterprise Vulnerabilities Allow Path Traversal and Information Disclosure

Splunk has released security updates to address three vulnerabilities in Splunk Enterprise and Splunk Cloud Platform, impacting REST API and Web components.

Splunk has issued critical security updates to patch multiple vulnerabilities affecting its Enterprise and Cloud Platform offerings. These flaws, detailed in recent advisories, could permit attackers to perform path traversal, expose stored credential hashes, and execute arbitrary Search Processing Language (SPL) commands.

The most severe of the patched vulnerabilities is CVE-2026-20296, a Cross-Site Request Forgery (CSRF) flaw impacting the Deployment Server component within Splunk Web. Rated with a CVSS score of 8.3, this vulnerability allows an unauthenticated attacker to trick a user with the 'list_deployment_server' capability into executing arbitrary SPL searches. The exploit requires user interaction, such as clicking a malicious link, but successful exploitation could lead to the exposure of sensitive indexed data and stored credentials by running commands as the 'splunk-system-user'.

Another significant vulnerability, CVE-2026-20297, is a path traversal issue with a CVSS score of 7.2. This flaw resides in the App Install REST endpoint and can be exploited by a user possessing 'edit_local_apps' and 'install_apps' capabilities during a legitimate app installation process. The vulnerability allows an attacker to write files outside the intended application directory and into sensitive locations like the Splunk home directory or its subdirectories, potentially corrupting configurations or overwriting critical files.

Rounding out the disclosed issues is CVE-2026-20298, an information disclosure vulnerability with a CVSS score of 5.3. This medium-severity flaw allows a low-privileged authenticated user to access the '/servicesNS/-/-/storage/passwords' REST endpoint via the '| rest' SPL command. The endpoint can reveal the 'encr_password' field, exposing stored credential hashes. While this requires authentication and has a high attack complexity, the disclosed hashes could be used for offline password cracking or further lateral movement within a compromised network.

Splunk Enterprise users are strongly advised to upgrade to fixed releases, including versions 10.4.1, 10.2.5, 10.0.8, 9.4.13, or later. For the path traversal vulnerability (CVE-2026-20297), version 9.3.14 is also a patched release. Additionally, for CVE-2026-20298, administrators must implement a specific configuration change by setting 'mask_encr_password = true' under the 'storage_passwords_masking' stanza in 'limits.conf' and then restart Splunk Enterprise.

Splunk Cloud Platform customers are being actively patched and monitored by Splunk. For organizations unable to immediately update their Splunk Enterprise instances, a temporary mitigation for CVE-2026-20296 involves disabling Splunk Web if it is not essential for operations. These vulnerabilities highlight the ongoing need for diligent patch management and security configuration for widely used data platforms like Splunk.

Synthesized by Vypr AI