Improper Input Validation through Classic Dashboards in Splunk Enterprise
Advisory ID: SVD-2026-0605
CVE ID: CVE-2026-20255
Published: 2026-06-10
Last Update: 2026-06-10
CVSSv3.1 Score: 5.7, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-20
Bug ID: VULN-62655
Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server.
The vulnerability exists because URL validation on the external content dialog is incomplete, which can allow for requests to untrusted domains when a user interacts with a crafted dashboard.
See Classic Dashboards Trusted Domains List and About role-based user access in the Splunk documentation for more information.
Solution
Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | Splunk Web | Not affected | 10.4.0 |
| Splunk Enterprise | 10.2 | Splunk Web | 10.2.0 to 10.2.3 | 10.2.4 |
| Splunk Enterprise | 10.0 | Splunk Web | 10.0.0 to 10.0.6 | 10.0.7 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.11 | 9.4.12 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.12 | 9.3.13 |
| Splunk Cloud Platform | 10.3.2512 | Splunk Web | Below 10.3.2512.13 | 10.3.2512.13 |
| Splunk Cloud Platform | 10.2.2510 | Splunk Web | Below 10.2.2510.15 | 10.2.2510.15 |
| Splunk Cloud Platform | 10.1.2507 | Splunk Web | Below 10.1.2507.23 | 10.1.2507.23 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.132 | 9.3.2411.132 |
Mitigations and Workarounds
Configure the Dashboards Trusted Domains List to restrict which external domains dashboards can load content from. See Classic Dashboards Trusted Domains List in the Splunk documentation.
Review and restrict which roles have permission to create and edit classic dashboards. See About role-based user access in the Splunk documentation.
Detections
None
Severity
Splunk rates this vulnerability a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.
Acknowledgments
Tony Tong (tongster)