Information Disclosure through External Content Restriction Bypass in Splunk Enterprise
Advisory ID: SVD-2026-0604
CVE ID: CVE-2026-20254
Published: 2026-06-10
Last Update: 2026-06-10
CVSSv3.1 Score: 5.7, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-20
Bug ID: VULN-62655
Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.
The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
See Classic Dashboards Trusted Domains List and About role-based user access in the Splunk documentation for more information.
Solution
Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | Splunk Web | Not affected | 10.4.0 |
| Splunk Enterprise | 10.2 | Splunk Web | 10.2.0 to 10.2.3 | 10.2.4 |
| Splunk Enterprise | 10.0 | Splunk Web | 10.0.0 to 10.0.6 | 10.0.7 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.11 | 9.4.12 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.12 | 9.3.13 |
| Splunk Cloud Platform | 10.3.2512 | Splunk Web | Below 10.3.2512.13 | 10.3.2512.13 |
| Splunk Cloud Platform | 10.2.2510 | Splunk Web | Below 10.2.2510.15 | 10.2.2510.15 |
| Splunk Cloud Platform | 10.1.2507 | Splunk Web | Below 10.1.2507.23 | 10.1.2507.23 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.132 | 9.3.2411.132 |
Mitigations and Workarounds
Configure the Dashboards Trusted Domains List to restrict which external domains dashboards can load content from. See Classic Dashboards Trusted Domains List in the Splunk documentation.
Review and restrict which roles have permission to create and edit classic dashboards. See About role-based user access in the Splunk documentation.
Detections
None
Severity
Splunk rates this vulnerability a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.
Acknowledgments
Fredrik Alexandersson (stok)