SPL commands allowlist controls bypass in Splunk MCP Server app through "run_splunk_query" MCP tool
Advisory ID: SVD-2025-1210
CVE ID: CVE-2025-20381
Published: 2025-12-03
Last Update: 2025-12-03
CVSSv3.1 Score: 5.4, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
CWE: CWE-863
Bug ID: VULN-41183
Description
In Splunk MCP Server app versions below 0.2.4, a user with access to the “run_splunk_query” Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP restrictions.
Solution
Upgrade Splunk MCP Server to version 0.2.4 or higher. See Splunk MCP Server releases.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk MCP Server | 0.2 | Below 0.2.4 | 0.2.4 |
Mitigations and Workarounds
Turn off the Splunk MCP Server app. See Manage app and add-on objects.
Detections
None
Severity
Splunk rates this vulnerability a 5.4, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L.
If you do not use the Splunk MCP Server, then there should be no impact and the severity would be Informational.
Acknowledgments
Saket Pandey, Splunk