Splunk has recently addressed several security vulnerabilities in its Enterprise and Cloud Platform products, which could have allowed attackers to perform unauthorized actions such as path traversal, credential hash disclosure, and arbitrary execution of Search Processing Language (SPL) searches.
Details of the Vulnerabilities
Among the patched vulnerabilities, three are particularly noteworthy:
- CVE-2026-20296: This critical flaw, with a CVSS score of 8.3, resides in the Deployment Server component of Splunk Web. An unauthenticated attacker could exploit this by convincing a user with the ‘list_deployment_server’ capability to click on a malicious link. Due to inadequate CSRF validation on GET requests and improper handling of user input in SPL searches, the attacker could execute arbitrary SPL searches as the ‘splunk-system-user’, potentially exposing indexed data and stored credentials. Exploitation requires user interaction, typically through phishing.
- CVE-2026-20297: Rated with a CVSS score of 7.2, this high-severity path traversal vulnerability affects the App Install REST endpoint. A user possessing both ‘edit_local_apps’ and ‘install_apps’ capabilities could exploit this during a legitimate app installation. The flaw allows writing files outside the intended application directory, potentially impacting application configurations and other sensitive Splunk files.
- CVE-2026-20298: This medium-severity issue, with a CVSS score of 5.3, involves information disclosure. A low-privileged user without admin or power roles could access the ‘/servicesNS/-/-/storage/passwords’ REST endpoint via the ‘| rest’ SPL command. This could reveal the ‘encr_password’ field, exposing stored credential hashes to unauthorized users. While exploitation requires authentication and has a high attack complexity, the exposed hashes could be used for offline password-cracking attempts.
Recommended Actions
Splunk Enterprise users are strongly advised to upgrade to the following fixed versions: 10.4.1, 10.2.5, 10.0.8, 9.4.13, or later. The path traversal issue also affects the 9.3 branch, necessitating an update to version 9.3.14. For CVE-2026-20298, administrators should configure ‘limits.conf’ with ‘mask_encr_password = true’ under the ‘[storage_passwords_masking]’ stanza and restart Splunk Enterprise. Splunk Cloud Platform customers are being patched and monitored by Splunk. Organizations unable to update immediately can mitigate exposure to CVE-2026-20296 by disabling Splunk Web where it is not essential.
These vulnerabilities underscore the critical importance of timely software updates and vigilant security practices. Organizations relying on Splunk’s platforms should prioritize these patches to safeguard their systems against potential exploits.