Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise
Advisory ID: SVD-2026-0606
CVE ID: CVE-2026-20256
Published: 2026-06-10
Last Update: 2026-06-10
CVSSv3.1 Score: 5.7, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-20
Bug ID: VULN-62655
Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.
The vulnerability exists because the URL classifier in classic dashboards only recognizes http:// and https:// schemes when checking for external URLs. Protocol-relative URLs such as //attacker.com bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.
See Classic Dashboards Trusted Domains List and About role-based user access in the Splunk documentation.
Solution
Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | Splunk Web | Not affected | 10.4.0 |
| Splunk Enterprise | 10.2 | Splunk Web | 10.2.0 to 10.2.3 | 10.2.4 |
| Splunk Enterprise | 10.0 | Splunk Web | 10.0.0 to 10.0.6 | 10.0.7 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.11 | 9.4.12 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.12 | 9.3.13 |
| Splunk Cloud Platform | 10.3.2512 | Splunk Web | Below 10.3.2512.13 | 10.3.2512.13 |
| Splunk Cloud Platform | 10.2.2510 | Splunk Web | Below 10.2.2510.15 | 10.2.2510.15 |
| Splunk Cloud Platform | 10.1.2507 | Splunk Web | Below 10.1.2507.23 | 10.1.2507.23 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.132 | 9.3.2411.132 |
Mitigations and Workarounds
Configure the Dashboards Trusted Domains List to restrict which external domains dashboards can load content from. See Classic Dashboards Trusted Domains List in the Splunk documentation.
Review and restrict which roles have permission to create and edit classic dashboards. See About role-based user access in the Splunk documentation.
Detections
None
Severity
Splunk rates this vulnerability a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.
Acknowledgments
Tony Tong (tongster)