Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise
Advisory ID: SVD-2026-0607
CVE ID: CVE-2026-20257
Published: 2026-06-10
Last Update: 2026-06-10
CVSSv3.1 Score: 5.7, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
CWE: CWE-20
Bug ID: VULN-62655
Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a classic dashboard that exfiltrates sensitive data from the browser of a higher-privileged user who views it.
The exfiltration is possible because classic dashboard panels do not fully validate style attribute values, which can allow for requests to reach external domains outside the configured Trusted Domains List.
The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will.
See Classic Dashboards Trusted Domains List and About role-based user access in the Splunk documentation.
Solution
Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | Splunk Web | Not affected | 10.4.0 |
| Splunk Enterprise | 10.2 | Splunk Web | 10.2.0 to 10.2.3 | 10.2.4 |
| Splunk Enterprise | 10.0 | Splunk Web | 10.0.0 to 10.0.6 | 10.0.7 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.11 | 9.4.12 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.12 | 9.3.13 |
| Splunk Cloud Platform | 10.3.2512 | Splunk Web | Below 10.3.2512.13 | 10.3.2512.13 |
| Splunk Cloud Platform | 10.2.2510 | Splunk Web | Below 10.2.2510.15 | 10.2.2510.15 |
| Splunk Cloud Platform | 10.1.2507 | Splunk Web | Below 10.1.2507.23 | 10.1.2507.23 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.132 | 9.3.2411.132 |
Mitigations and Workarounds
Configure the Dashboards Trusted Domains List to restrict which external domains dashboards can load content from. See Classic Dashboards Trusted Domains List in the Splunk documentation.
Review and restrict which roles have permission to create and edit classic dashboards. See About role-based user access in the Splunk documentation.
Detections
None
Severity
Splunk rates this vulnerability a 5.7, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N.
Acknowledgments
Tony Tong (tongster)