Splunk Security and Observability Platform
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Splunk product.
RSS Feeds for Splunk security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Splunk products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Splunk Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 9 vulnerabilities in Splunk with an average score of 6.4 out of ten. Last year, in 2025 Splunk had 36 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Splunk in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 1.10.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 9 | 6.36 |
| 2025 | 36 | 5.26 |
| 2024 | 41 | 6.15 |
| 2023 | 45 | 6.74 |
| 2022 | 53 | 7.10 |
| 2021 | 16 | 6.33 |
| 2020 | 9 | 5.30 |
| 2019 | 3 | 7.10 |
| 2018 | 5 | 0.00 |
It may take a day or so for new Splunk vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Splunk Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-20163 | Mar 11, 2026 |
Arbitrary Shell Exec via unarchive_cmd in Splunk Enterprise <10.2.0In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint. |
Splunk
Splunk Cloud Platform
|
| CVE-2026-20162 | Mar 11, 2026 |
Splunk Enterprise <=10.2.0 Stored XSS via View CreationIn Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9, and Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123, a low-privileged user who does not hold the "admin" or "power" Splunk roles could craft a malicious payload when creating a View (Settings - User Interface - Views) at the `/manager/launcher/data/ui/views/_new` endpoint leading to a Stored Cross-Site Scripting (XSS) through a path traversal vulnerability. This could result in execution of unauthorized JavaScript code in the browser of a user. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. |
Splunk
Splunk Cloud Platform
|
| CVE-2026-20166 | Mar 11, 2026 |
Low-privileged user reads Observability Cloud API token in Splunk <10.2.1In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control. This vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise. |
Splunk
Splunk Cloud Platform
|
| CVE-2026-20164 | Mar 11, 2026 |
Splunk Enterprise <10.2.0 & <10.0.3 leaks passwords via conf-passwords APIIn Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the "admin" or "power" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials. |
Splunk
Splunk Cloud Platform
|
| CVE-2026-20165 | Mar 11, 2026 |
Splunk: LowPrivileged User Access Bypass before 10.2.1/10.2.2510.7In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel. |
Splunk
Splunk Cloud Platform
|
| CVE-2026-20142 | Feb 18, 2026 |
Splunk Enterprise SHC RSA accessKey Disclosure via _internal (pre-10.2.0/10.0.2/9.4.7/9.3.9/9.2.11)In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the RSA `accessKey` value from the [<u>Authentication.conf</u> ](https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/configuration-file-reference/10.2.0-configuration-file-reference/authentication.conf)file, in plain text. |
Splunk
|
| CVE-2026-20138 | Feb 18, 2026 |
Splunk Enterprise SHC `_internal` index leaks Duo secrets until 10.2In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the `integrationKey`, `secretKey`, and `appSecretKey` secrets, generated by [Duo Two-Factor Authentication for Splunk Enterprise](https://duo.com/docs/splunk), in plain text. |
Splunk
|
| CVE-2026-20139 | Feb 18, 2026 |
Splunk Enterprise <10.2.0 & <10.0.2 DoS via /services/auth/users APIIn Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a clientside denialofservice (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive. |
Splunk
Splunk Cloud Platform
|
| CVE-2026-20144 | Feb 18, 2026 |
Splunk Enterprise SHC SAML Config Disclosure via conf.log v<=10.2.0,10.0.2,9.4.7,9.3.8,9.2.11In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20388 | Dec 03, 2025 |
Splunk Enterprise <10.0.1: IP/Port Enum via change_authIn Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.7, and 9.3.2411.116, a user who holds a role that contains the high privilege capability `change_authentication` could enumerate internal IP addresses and network ports when adding new search peers to a Splunk search head in a distributed environment. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20389 | Dec 03, 2025 |
Splunk Enterprise <=10.0.2 Low-Priv DoS via Secure Gateway 'label'In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and versions below 3.9.10, 3.8.58 and 3.7.28 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `label` column field after adding a new device in the Splunk Secure Gateway app. This could potentially lead to a client-side denial of service (DoS). |
Splunk
Splunk Cloud Platform
Splunk Secure Gateway
And others... |
| CVE-2025-20387 | Dec 03, 2025 |
Splunk U.F. Windows <10.0.2: Permission Disclosure via Improper ACLIn Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents. |
Splunk
|
| CVE-2025-20383 | Dec 03, 2025 |
Low-privileged Users Leak Alert Data via Push Notifications in Splunk <10.0.2In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and below 3.9.10, 3.8.58, and 3.7.28 of Splunk Secure Gateway app in Splunk Cloud Platform, a low-privileged user that does not hold the "admin" or "power" Splunk roles and subscribes to mobile push notifications could receive notifications that disclose the title and description of the report or alert even if they do not have access to view the report or alert. |
Splunk
Splunk Cloud Platform
Splunk Secure Gateway
And others... |
| CVE-2025-20384 | Dec 03, 2025 |
ANSI Escape Code Injection in Splunk Enterprise <10.0.1/9.4.6/9.3.8/9.2.10In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20386 | Dec 03, 2025 |
Splunk Enterprise Windows 10.0.2, 9.4.6, 9.3.8, 9.2.10: Non-Admin Directory AccessIn Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Splunk Enterprise for Windows Installation directory. This lets non-administrator users on the machine access the directory and all its contents. |
Splunk
|
| CVE-2025-20385 | Dec 03, 2025 |
Splunk Enterprise: Reflected XSS via href in nav bar (pre-10.0.2)In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, a user who holds a role with a high privilege capability `admin_all_objects` could craft a malicious payload through the href attribute of an anchor tag within a collection in the navigation bar, which could result in execution of unauthorized JavaScript code in the browser of a user. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20381 | Dec 03, 2025 |
Splunk MCP Server App v<0.2.4 Allows Unchecked SPL via MCP Sub-searchesIn Splunk MCP Server app versions below 0.2.4, a user with access to the "run_splunk_query" Model Context Protocol (MCP) tool could bypass the SPL command allowlist controls in MCP by embedding SPL commands as sub-searches, leading to unauthorized actions beyond the intended MCP restrictions. |
Splunk
|
| CVE-2025-20382 | Dec 03, 2025 |
Splunk <10.0.2 Unvalidated Redirect via data:image/png URLIn Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.10, 10.0.2503.8, and 9.3.2411.120, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create a views dashboard with a custom background using the `data:image/png;base64` protocol that could potentially lead to an unvalidated redirect. This behavior circumvents the Splunk external URL warning mechanism by using a specially crafted URL, allowing for a redirection to an external malicious site. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20373 | Nov 26, 2025 |
Plain Text Client Secrets in Splunk Addon for Palo Alto Networks <2.0.2In Splunk Add-on for Palo Alto Networks versions below 2.0.2, the add-on exposes client secrets in plain text in the _internal index during the addition of new Data Security Accounts. The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) in the Splunk documentation for more information. |
Splunk
|
| CVE-2025-20379 | Nov 12, 2025 |
Splunk Enterprise: Auth Bypass via /services/streams/search REST q param<10.0.1)In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the admin or power Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the /services/streams/search endpoint through its q parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20378 | Nov 12, 2025 |
Splunk Enterprise <10.0.1 Unauthorized Open Redirect via return_toIn Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20368 | Oct 01, 2025 |
Splunk Enterprise XSS via Saved Search Details (9.4.4, 9.3.6, 9.2.8)In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privileged user that does not hold the admin or power Splunk roles could craft a malicious payload through the error messages and job inspection details of a saved search. This could result in execution of unauthorized JavaScript code in the browser of a user. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20371 | Oct 01, 2025 |
Splunk SSO/SSRF: Unauth SSRF prior to 10.0.1 & 9.3.2411.109In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF) potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20367 | Oct 01, 2025 |
Splunk: Low-Priv JS Exec via dataset.command in /app/search/table (9.4.3)In Splunk Enterprise versions below 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119 and 9.2.2406.122, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious payload through the `dataset.command` parameter of the `/app/search/table` endpoint, which could result in execution of unauthorized JavaScript code in the browser of a user. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20370 | Oct 01, 2025 |
Splunk Enterprise DoS via LDAP Repeated Bind Attack (v<10.0.1,9.4.4,9.3.6,9.2.8)In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a user who holds a role that contains the high-privilege capability `change_authentication`, could send multiple LDAP bind requests to a specific internal endpoint, resulting in high server CPU usage, which could potentially lead to a denial of service (DoS) until the Splunk Enterprise instance is restarted. See https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/manage-splunk-platform-users-and-roles/define-roles-on-the-splunk-platform-with-capabilities and https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/10.0/use-ldap-as-an-authentication-scheme/configure-ldap-with-splunk-web#cfe47e31_007f_460d_8b3d_8505ffc3f0dd__Configure_LDAP_with_Splunk_Web for more information. |
Splunk
|
| CVE-2025-20366 | Oct 01, 2025 |
Splunk <9.4.4/9.3.6/9.2.8, Cloud <9.3.2411.111: Low-Priv SID Guess Grants SearchIn Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search jobs unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20369 | Oct 01, 2025 |
Splunk Enterprise XXE via dashboard tab label (pre 9.4.4, 9.3.6, 9.2.8)In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.108, 9.3.2408.118 and 9.2.2406.123, a low privilege user that does not hold the "admin" or "power" Splunk roles could perform an extensible markup language (XML) external entity (XXE) injection through the dashboard tab label field. The XXE injection has the potential to cause denial of service (DoS) attacks. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20324 | Jul 07, 2025 |
Splunk Enterprise <9.4.2,9.3.5,9.2.7,9.1.10 low-priv overwrite via RESTIn Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.7, and 9.1.10 and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles could create or overwrite [system source type](https://help.splunk.com/en/splunk-enterprise/get-started/get-data-in/9.2/configure-source-types/create-source-types) configurations by sending a specially-crafted payload to the `/servicesNS/nobody/search/admin/sourcetypes/` REST endpoint on the Splunk management port. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20323 | Jul 07, 2025 |
Splunk Enterprise <9.4.3 – Low-Priv User Can Disable Bucket Copy TriggerIn Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a low-privileged user that does not hold the "admin" or "power" Splunk roles could turn off the scheduled search `Bucket Copy Trigger` within the Splunk Archiver application. This is because of missing access controls in the saved searches for this app. |
Splunk
|
| CVE-2025-20322 | Jul 07, 2025 |
Splunk Enterprise/Cloud CSRF Causing SHC Restart & DoS (v <9.4.3)In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.113, and 9.2.2406.119, an unauthenticated attacker could send a specially-crafted SPL search command that could trigger a rolling restart in the Search Head Cluster through a Cross-Site Request Forgery (CSRF), potentially leading to a denial of service (DoS).<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will.<br><br>See [How rolling restart works](https://docs.splunk.com/Documentation/Splunk/9.4.2/DistSearch/RestartSHC) for more information. |
Splunk Cloud Platform
Splunk
|
| CVE-2025-20321 | Jul 07, 2025 |
Splunk Enterprise <9.4.3 CSRF can alter SHC membershipIn Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.104, 9.3.2408.114, and 9.2.2406.119, an unauthenticated attacker can send a specially-crafted SPL search that could change the membership state in a Splunk Search Head Cluster (SHC) through a Cross-Site Request Forgery (CSRF), potentially leading to the removal of the captain or a member of the SHC.<br><br>The vulnerability requires the attacker to phish the administrator-level victim by tricking them into initiating a request within their browser. The attacker should not be able to exploit the vulnerability at will. |
Splunk Cloud Platform
Splunk
|
| CVE-2025-20320 | Jul 07, 2025 |
DoS via Path Traversal in Splunk Enterprise <9.4.3 (Views conf)In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7 and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.107, 9.3.2408.117, and 9.2.2406.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the `User Interface - Views` configuration page that could potentially lead to a denial of service (DoS).The user could cause the DoS by exploiting a path traversal vulnerability that allows for deletion of arbitrary files within a Splunk directory. The vulnerability requires the low-privileged user to phish the administrator-level victim by tricking them into initiating a request within their browser. The low-privileged user should not be able to exploit the vulnerability at will. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20319 | Jul 07, 2025 |
RCE in Splunk Enterprise <9.4.3 via Scripted Input (edit_scripted)In Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, a user who holds a role that contains the high-privilege capability `edit_scripted` and `list_inputs` capability , could perform a remote command execution due to improper user input sanitization on the scripted input files.<br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Setting up a scripted input ](https://docs.splunk.com/Documentation/Splunk/9.4.2/AdvancedDev/ScriptSetup)for more information. |
Splunk
|
| CVE-2025-20300 | Jul 07, 2025 |
Splunk Enterprise/Cloud <9.4.2: Low-Privileged Users Suppress AlertsIn Splunk Enterprise versions below 9.4.2, 9.3.5, 9.2.6, and 9.1.9 and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.112, and 9.2.2406.119, a low-privileged user that does not hold the "admin" or "power" Splunk roles, and has read-only access to a specific alert, could suppress that alert when it triggers. See [Define alert suppression groups to throttle sets of similar alerts](https://help.splunk.com/en/splunk-enterprise/alert-and-respond/alerting-manual/9.4/manage-alert-trigger-conditions-and-throttling/define-alert-suppression-groups-to-throttle-sets-of-similar-alerts). |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20325 | Jul 07, 2025 |
Splunk <9.4.3 SHCConfig DEBUG log may expose splunk.secret keyIn Splunk Enterprise versions below 9.4.3, 9.3.5, 9.2.7, and 9.1.10, and Splunk Cloud Platform versions below 9.3.2411.103, 9.3.2408.113, and 9.2.2406.119, the software potentially exposes the search head cluster [splunk.secret](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) key. This exposure could happen if you have a Search Head cluster and you configure the Splunk Enterprise `SHCConfig` log channel at the DEBUG logging level in the clustered deployment. <br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. <br><br>See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities), [Deploy a search head cluster](https://help.splunk.com/en/splunk-enterprise/administer/distributed-search/9.4/deploy-search-head-clustering/deploy-a-search-head-cluster), [Deploy secure passwords across multiple servers](https://help.splunk.com/en/splunk-enterprise/administer/manage-users-and-security/9.4/install-splunk-enterprise-securely/deploy-secure-passwords-across-multiple-servers) and [Set a security key for the search head cluster](https://help.splunk.com/splunk-enterprise/administer/distributed-search/9.4/configure-search-head-clustering/set-a-security-key-for-the-search-head-cluster#id_2c54937a_736c_47b5_9485_67e9e390acfa__Set_a_security_key_for_the_search_head_cluster) for more information. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20297 | Jun 02, 2025 |
Splunk Enterprise <9.4.2 pdfgen/render Allows Unprivileged Exec of JSIn Splunk Enterprise versions below 9.4.2, 9.3.4 and 9.2.6, and Splunk Cloud Platform versions below 9.3.2411.102, 9.3.2408.111 and 9.2.2406.118, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload through the pdfgen/render REST endpoint that could result in execution of unauthorized JavaScript code in the browser of a user. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20298 | Jun 02, 2025 |
Splunk UFW Windows <9.4.2 perms flawIn Universal Forwarder for Windows versions below 9.4.2, 9.3.4, 9.2.6, and 9.1.9, a new installation of or an upgrade to an affected version can result in incorrect permissions assignment in the Universal Forwarder for Windows Installation directory (by default, C:\Program Files\SplunkUniversalForwarder). This lets non-administrator users on the machine access the directory and all its contents. |
Universal Forwarder
|
| CVE-2025-20230 | Mar 26, 2025 |
Splunk SG KVStore Low-Priv Edit Pre-9.4.1 (CVE-2025-20230)In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the admin or power Splunk roles could edit and delete other user data in App Key Value Store (KVStore) collections that the Splunk Secure Gateway app created. This is due to missing access control and incorrect ownership of the data in those KVStore collections.<br><br>In the affected versions, the `nobody` user owned the data in the KVStore collections. This meant that there was no specific owner assigned to the data in those collections. |
Splunk
Splunk Secure Gateway
|
| CVE-2025-20232 | Mar 26, 2025 |
Splunk Ent/Cloud: Low Priv Bypass of SPL guard via /app/search (pre 9.3.3)In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.103, 9.2.2406.108, 9.2.2403.113, 9.1.2312.208 and 9.1.2308.212, a low-privileged user that does not hold the admin or power Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the /app/search/search endpoint through its s parameter. <br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20231 | Mar 26, 2025 |
Splunk Enterprise <9.4.1 Privilege Escalation via Search Using Higher-Priv AccountIn Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the admin or power Splunk roles could run a search using the permissions of a higher-privileged user that could lead to disclosure of sensitive information.<br><br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated low-privileged user should not be able to exploit the vulnerability at will. |
Splunk
Splunk Secure Gateway
|
| CVE-2025-20229 | Mar 26, 2025 |
Splunk Enterprise <9.3.3 RCE via apptemp upload (CVE-2025-20229)In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.2406.108, 9.2.2403.114, and 9.1.2312.208, a low-privileged user that does not hold the "admin" or "power" Splunk roles could perform a Remote Code Execution (RCE) through a file upload to the "$SPLUNK_HOME/var/run/splunk/apptemp" directory due to missing authorization checks. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20228 | Mar 26, 2025 |
Splunk CVE-2025-20228: CSRF Allows LPr User to Toggle KVStore Maint Mode <9.3.3In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.2.2403.108, and 9.1.2312.204, a low-privileged user that does not hold the "admin" or "power" Splunk roles could change the maintenance mode state of App Key Value Store (KVStore) through a Cross-Site Request Forgery (CSRF). |
Splunk Cloud Platform
Splunk
|
| CVE-2025-20227 | Mar 26, 2025 |
Splunk Enterprise <=9.4.1/9.3.3/9.2.5/9.1.8 & Cloud <=9.3.2408.107 Bypass External Content Warning MIn Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.112, 9.2.2403.115, 9.1.2312.208 and 9.1.2308.214, a low-privileged user that does not hold the "admin" or "power" Splunk roles could bypass the external content warning modal dialog box in Dashboard Studio dashboards which could lead to an information disclosure. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20226 | Mar 26, 2025 |
Splunk <9.4.1: Low-Privileged User Circumvents SPL SafeguardsIn Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the "/services/streams/search" endpoint through its "q" parameter. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. |
Splunk
Splunk Cloud Platform
|
| CVE-2025-20233 | Mar 26, 2025 |
Splunk App for Lookup File Editing <4.0.5 Improper Permission via chmodIn the Splunk App for Lookup File Editing versions below 4.0.5, a script in the app used the `chmod` and `makedirs` Python functions in a way that resulted in overly broad read and execute permissions. This could lead to improper access control for a low-privileged user. |
Splunk App Lookup File Editing
|
| CVE-2024-53245 | Dec 10, 2024 |
Splunk Enterprise and Splunk Cloud Platform Dashboard Access Control VulnerabilityIn Splunk Enterprise versions below 9.3.0, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.1.2312.206, a low-privileged user that does not hold the admin or power Splunk roles, that has a username with the same name as a role with read access to dashboards, could see the dashboard name and the dashboard XML by cloning the dashboard. |
Splunk
Splunk Cloud Platform
|
| CVE-2024-53247 | Dec 10, 2024 |
Splunk Enterprise and Secure Gateway Remote Code Execution VulnerabilityIn Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7, and versions below 3.4.261 and 3.7.13 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the admin or power Splunk roles could perform a Remote Code Execution (RCE). |
Splunk
|
| CVE-2024-53246 | Dec 10, 2024 |
Splunk Enterprise and Splunk Cloud Platform SPL Command Information Disclosure VulnerabilityIn Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.3.2408.101, 9.2.2406.106, 9.2.2403.111, and 9.1.2312.206, an SPL command can potentially disclose sensitive information. The vulnerability requires the exploitation of another vulnerability, such as a Risky Commands Bypass, for successful exploitation. |
Splunk
Splunk Cloud Platform
|
| CVE-2024-53243 | Dec 10, 2024 |
Splunk Enterprise Secure Gateway App Improper Access Control VulnerabilityIn Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and versions below 3.2.462, 3.7.18, and 3.8.5 of the Splunk Secure Gateway app on Splunk Cloud Platform, a low-privileged user that does not hold the admin or power Splunk roles could see alert search query responses using Splunk Secure Gateway App Key Value Store (KVstore) collections endpoints due to improper access control. |
Splunk
|
| CVE-2024-53244 | Dec 10, 2024 |
Splunk Enterprise Privilege Escalation via Saved Search BypassIn Splunk Enterprise versions below 9.3.2, 9.2.4, and 9.1.7 and Splunk Cloud Platform versions below 9.2.2406.107, 9.2.2403.109, and 9.1.2312.206, a low-privileged user that does not hold the admin or power Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on /en-US/app/search/report endpoint through s parameter.<br>The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will. |
Splunk
Splunk Cloud Platform
|