Error message discloses internal path

Advisory ID: SVD-2022-0507

CVE ID: CVE-2022-26070

Published: 2022-05-03

Last Update: 2022-05-03

CVSSv3.1 Score: 4.3, Medium

CWE: CWE-200

Bug ID: SPL-180503


When handling a mismatched pre-authentication cookie, the application leaks the internal error message in the response, which contains the Splunk Enterprise local system path. The vulnerability impacts Splunk Enterprise versions before 8.1.0.

The vulnerability impacts instances with Splunk Web enabled. See Disable unnecessary Splunk Enterprise components and web.conf for more information on disabling Splunk Web.


Upgrade Splunk Enterprise to 8.1.0 or later.

Product Status

ProductVersionComponentAffected VersionFix Version
Splunk Enterprise8.1Splunk WebVersions below

The vulnerability does not impact Splunk Cloud Platform instances.


Dipak Prajapati (Lethal)