Splunk Security Announcements

SVD-2026-0314: Third-Party Package Updates in Splunk Universal Forwarder - March 2026

Wed, 18 Mar 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder versions 10.2.1, 10.0.4 and higher.

SVD-2026-0313: Third-Party Package Updates in Splunk AppDynamics Analytics Agent - March 2026

Wed, 11 Mar 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Analytics Agent version 26.1.0, and higher.

SVD-2026-0312: Third-Party Package Updates in Splunk AppDynamics Database Agent - March 2026

Wed, 11 Mar 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Database Agent version 26.1.0, and higher.

SVD-2026-0311: Third-Party Package Updates in Splunk AppDynamics NodeJS Agent - March 2026

Wed, 11 Mar 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics NodeJS Agent version 25.12.1, and higher.

SVD-2026-0310: Third-Party Package Updates in Splunk AppDynamics Java Agent - March 2026

Wed, 11 Mar 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Java Agent version 26.1.0, and higher.

SVD-2026-0309: Third-Party Package Updates in Splunk AppDynamics Private Synthetic Agent - March 2026

Wed, 11 Mar 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Private Synthetic Agent version 26.1.0, and higher.

SVD-2026-0308: Third-Party Package Updates in Splunk AppDynamics Machine Agent - March 2026

Wed, 11 Mar 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics Machine Agent version 26.1.0, and higher.

SVD-2026-0307: Third-Party Package Updates in Splunk AppDynamics On-Premises Enterprise Console - March 2026

Wed, 11 Mar 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk AppDynamics On-Premises Enterprise Console version 26.1.1, and higher.

SVD-2026-0306: Third-Party Package Updates in Splunk Enterprise - March 2026

Wed, 11 Mar 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.2.1, 10.0.4, 9.4.9, 9.3.10, and higher.

SVD-2026-0305: Sensitive Information Disclosure in Discover Splunk Observability Cloud app for Splunk Enterprise

Wed, 11 Mar 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the “admin” or “power” Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control.

This vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise.

SVD-2026-0304: Sensitive Information Disclosure in MongoClient logging channel in Splunk Enterprise

Wed, 11 Mar 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the “admin” or “power” Splunk roles could retrieve sensitive information by inspecting the job’s search log due to improper access control in the MongoClient logging channel.

SVD-2026-0303: Sensitive Information Disclosure through Improper Access Control in Splunk Enterprise

Wed, 11 Mar 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the “admin” or “power” Splunk roles could access the /splunkd/__raw/servicesNS/-/-/configs/conf-passwords REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials.

SVD-2026-0302: Remote Command Execution (RCE) through the '/splunkd/__upload/indexing/preview' REST endpoint in Splunk Enterprise

Wed, 11 Mar 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability edit_cmd could execute arbitrary shell commands using the unarchive_cmd parameter for the /splunkd/__upload/indexing/preview REST endpoint.

SVD-2026-0301: Stored Cross-Site Scripting (XSS) through Path Traversal in Splunk Enterprise

Wed, 11 Mar 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the “admin” or “power” Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the /manager/launcher/data/ui/views/_new endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user.

The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

SVD-2026-0212: Third-Party Package Updates in Splunk DB Connect - February 2026

Wed, 18 Feb 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk DB Connect version 4.2.0 and higher.

SVD-2026-0211: Third-Party Package Updates in Splunk Enterprise - February 2026

Wed, 18 Feb 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.0.3, 9.4.8, 9.3.9, 9.2.12, 10.2.0, and higher.

SVD-2026-0210: Third-Party Package Updates in Splunk Universal Forwarder - February 2026

Wed, 18 Feb 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Universal Forwarder versions 10.0.3, 9.4.8, 9.4.7, 9.3.9, 9.2.12, and higher.

SVD-2026-0209: Sensitive Information Disclosure in ''_internal'' index in Splunk Enterprise

Wed, 18 Feb 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured.

SVD-2026-0208: Local Privilege Escalation in Splunk Enterprise for Windows through Python Module Search Path

Wed, 18 Feb 2026 00:00:00 +0000

In Splunk Enterprise for Windows versions below 10.2.0, 10.0.3, 9.4.8, and 9.3.9, a low‑privileged Windows user that can create a directory on the system drive where Splunk Enterprise is installed can write a malicious Python script into that directory. This could result in a Local Privilege Escalation (LPE) and a Denial of Service (DoS), as the malicious Python script might run with system level privileges when the Splunk Enterprise instance restarts.

SVD-2026-0207: Sensitive Information Disclosure in "_internal" index in Splunk Enterprise

Wed, 18 Feb 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk _internal index could view the RSA accessKey value from the Authentication.conf file, in plain text.

SVD-2026-0206: Improper Access Control in Splunk Monitoring Console App

Wed, 18 Feb 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does not hold the “admin” Splunk role could access the Splunk Monitoring Console App endpoints due to an improper access control. This could lead to a sensitive information disclosure.

The Monitoring Console app is a bundled app that comes with Splunk Enterprise. It is not available for download on SplunkBase, and is not installed on Splunk Cloud Platform instances. This vulnerability does not affect Cloud Monitoring Console.

SVD-2026-0205: Local Privilege Escalation (LPE) in Splunk Enterprise for Windows through DLL Search‑Order Hijacking

Wed, 18 Feb 2026 00:00:00 +0000

In Splunk Enterprise for Windows versions below 10.2.0, 10.0.3, 9.4.8, 9.3.9, and 9.2.12, a low‑privileged Windows user who can create a directory on the system drive where Splunk Enterprise is installed and write a malicious DLL into that directory, might cause Splunk Enterprise for Windows to load that DLL during Splunk Enterprise service startup. This condition can result in a Local Privilege Escalation (LPE) through a DLL search‑order hijacking, as the injected DLL might run with system level privileges when the Splunk Enterprise instance restarts.

SVD-2026-0204: Client-Side Denial of Service (DoS) through ''/splunkd/__raw/services/authentication/users/username'' REST API endpoint in Splunk Enterprise

Wed, 18 Feb 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload into the realname, tz, or email parameters of the /splunkd/__raw/services/authentication/users/username REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.

SVD-2026-0203: Sensitive Information Disclosure in "_internal" index in Splunk Enterprise

Wed, 18 Feb 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk _internal index could view the integrationKey, secretKey, and appSecretKey secrets, generated by Duo Two-Factor Authentication for Splunk Enterprise, in plain text.

SVD-2026-0202: Risky Commands Safeguards Bypass through preloaded Data Models due to Path Traversal vulnerability in Splunk Enterprise

Wed, 18 Feb 2026 00:00:00 +0000

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the “admin” or “power” Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability.

SVD-2026-0201: Third-Party Package Updates in Splunk SOAR - February 2026

Wed, 04 Feb 2026 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk SOAR version 7.1.0.

SVD-2026-0101: Third-Party Package Update in Splunk Enterprise - MongoDB CVE-2025-14847

Wed, 28 Jan 2026 00:00:00 +0000

Splunk remedied CVE-2025-14847 in MongoDB in Splunk Enterprise versions 10.2.0, 10.0.3, 9.4.8, 9.3.9, 9.2.12, and higher.

SVD-2025-1210: SPL commands allowlist controls bypass in Splunk MCP Server app through "run_splunk_query" MCP tool

Wed, 03 Dec 2025 00:00:00 +0000

In Splunk MCP Server app versions below 0.2.4, a user with access to the “run_splunk_query” Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP restrictions.

SVD-2025-1209: Third-Party Package Updates in Splunk Enterprise - December 2025

Wed, 03 Dec 2025 00:00:00 +0000

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.0.2, 9.4.6, 9.3.8, 9.2.10, and higher.

SVD-2025-1208: Improper Input Validation in "label" column field in Splunk Secure Gateway App

Wed, 03 Dec 2025 00:00:00 +0000

In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload through the label column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS).