CVE-2026-20137
Path Traversal Allows SPL Injection Bypass in Splunk Enterprise
Publication date: 2026-02-18
Last updated on: 2026-02-20
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| splunk | splunk | From 9.2.0 (inc) to 9.2.9 (exc) |
| splunk | splunk | From 9.3.0 (inc) to 9.3.7 (exc) |
| splunk | splunk | From 9.4.0 (inc) to 9.4.5 (exc) |
| splunk | splunk | From 10.0.0 (inc) to 10.0.3 (exc) |
| splunk | splunk_cloud_platform | From 10.0.2503 (inc) to 10.0.2503.9 (exc) |
| splunk | splunk_cloud_platform | From 9.3.2408 (inc) to 9.3.2408.122 (exc) |
| splunk | splunk_cloud_platform | From 9.3.2411 (inc) to 9.3.2411.112 (exc) |
| splunk | splunk_cloud_platform | 10.1.2507 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Splunk Enterprise or Splunk Cloud Platform to the fixed versions: Splunk Enterprise 10.2.0, 10.0.3, 9.4.5, 9.3.7, or 9.2.9, or the corresponding fixed versions for Splunk Cloud Platform.
As a temporary workaround, disabling Splunk Web can prevent exploitation of this vulnerability.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-20137 is a low-severity vulnerability affecting certain versions of Splunk Enterprise and Splunk Cloud Platform. It involves a path traversal flaw that allows a low-privileged user, who does not have "admin" or "power" roles, to bypass safeguards on risky SPL commands by creating a Data Model containing an injected SPL query within an object.'}, {'type': 'paragraph', 'content': 'When a high-privileged user opens this object, the injected SPL query executes with their privileges, potentially exposing sensitive information without authorization. Exploitation requires tricking the high-privileged user into initiating a request in their browser, so it cannot be exploited arbitrarily by the attacker.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized exposure of sensitive information because the injected SPL query executes with the privileges of a high-privileged user when they open the malicious Data Model object.
An attacker with low privileges can exploit this by tricking a high-privileged user to open the crafted object, which may result in information disclosure without proper authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
No specific detection methods or commands for identifying this vulnerability on your network or system are provided in the available information.