Splunk <9.4.4/9.3.6/9.2.8, Cloud <9.3.2411.111: Low-Priv SID Guess Grants Search
CVE-2025-20366 Published on October 1, 2025
Improper Access Control in Background Job Submission in Splunk Enterprise
In Splunk Enterprise versions below 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.111, 9.3.2408.119, and 9.2.2406.122, a low-privileged user that does not hold the admin or power Splunk roles could access sensitive search results if Splunk Enterprise runs an administrative search job in the background. If the low privileged user guesses the search jobs unique Search ID (SID), the user could retrieve the results of that job, potentially exposing sensitive search results. For more information see https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/about-jobs-and-job-management and https://help.splunk.com/en/splunk-enterprise/search/search-manual/10.0/manage-jobs/manage-search-jobs.
Weakness Type
What is an Authorization Vulnerability?
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CVE-2025-20366 has been classified to as an Authorization vulnerability or weakness.
Products Associated with CVE-2025-20366
stack.watch emails you whenever new vulnerabilities are published in Splunk or Splunk Cloud Platform. Just hit a watch button to start following.
Affected Versions
Splunk Enterprise:- Version 10.0 and below 10.0.0 is affected.
- Version 9.4 and below 9.4.4 is affected.
- Version 9.3 and below 9.3.6 is affected.
- Version 9.2 and below 9.2.8 is affected.
- Version 9.3.2411 and below 9.3.2411.111 is affected.
- Version 9.3.2408 and below 9.3.2408.119 is affected.
- Version 9.2.2406 and below 9.2.2406.122 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.