Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise
Advisory ID: SVD-2026-0602
CVE ID: CVE-2026-20252
Published: 2026-06-10
Last Update: 2026-06-10
CVSSv3.1 Score: 7.6, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CWE: CWE-918
Bug ID: VULN-69892
Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the “admin” or “power” Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature.
The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.
See Secure Splunk Enterprise and Dashboard Studio in the Splunk documentation for more information.
Solution
Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | Splunk Web | Not affected | 10.4.0 |
| Splunk Enterprise | 10.2 | Splunk Web | 10.2.0 to 10.2.3 | 10.2.4 |
| Splunk Enterprise | 10.0 | Splunk Web | 10.0.0 to 10.0.6 | 10.0.7 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.11 | 9.4.12 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.12 | 9.3.13 |
| Splunk Cloud Platform | 10.4.2604 | Splunk Web | Below 10.4.2604.3 | 10.4.2604.3 |
| Splunk Cloud Platform | 10.3.2512 | Splunk Web | Below 10.3.2512.12 | 10.3.2512.12 |
| Splunk Cloud Platform | 10.2.2510 | Splunk Web | Below 10.2.2510.14 | 10.2.2510.14 |
| Splunk Cloud Platform | 10.1.2507 | Splunk Web | Below 10.1.2507.22 | 10.1.2507.22 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.132 | 9.3.2411.132 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rates this vulnerability a 7.6, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L.
Acknowledgments
M Mahdan Argya Syarif (0xbeludan)