Improper Access Control in Background Job Submission in Splunk Enterprise

Advisory ID: SVD-2025-1001

CVE ID: CVE-2025-20366

Published: 2025-10-01

Last Update: 2025-10-01

CVSSv3.1 Score: 6.5, Medium

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-284

Bug ID: VULN-15202

Description

In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search job’s unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results.

For more information see About jobs and job management and Manage search jobs.

Solution

Upgrade Splunk Enterprise to versions 9.4.4, 9.3.6, 9.2.8, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise10.0Splunk WebNot Affected10.0.0
Splunk Enterprise9.4Splunk Web9.4.0 to 9.4.39.4.4
Splunk Enterprise9.3Splunk Web9.3.0 to 9.3.59.3.6
Splunk Enterprise9.2Splunk Web9.2.0 to 9.2.79.2.8
Splunk Cloud Platform9.3.2411Splunk WebBelow 9.3.2411.1119.3.2411.111
Splunk Cloud Platform9.3.2408Splunk WebBelow 9.3.2408.1199.3.2408.119
Splunk Cloud Platform9.2.2406Splunk WebBelow 9.2.2406.1229.2.2406.122

Mitigations and Workarounds

The vulnerability affects instances with Splunk Web enabled, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on disabling Splunk Web.

Detections

None

Severity

Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.