CVE-2026-20252
Undergoing Analysis Undergoing Analysis - In Progress
Server-Side Request Forgery in Splunk Enterprise

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-15
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20252
EUVD
EUVD-2026-36086
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
splunk splunk_enterprise to 10.2.4 (exc)
splunk splunk_enterprise to 10.0.7 (exc)
splunk splunk_enterprise to 9.4.12 (exc)
splunk splunk_enterprise to 9.3.13 (exc)
splunk splunk_cloud_platform to 10.4.2604.3 (exc)
splunk splunk_cloud_platform to 10.3.2512.12 (exc)
splunk splunk_cloud_platform to 10.2.2510.14 (exc)
splunk splunk_cloud_platform to 10.1.2507.22 (exc)
splunk splunk_cloud_platform to 9.3.2411.132 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20252 is a Server-Side Request Forgery (SSRF) vulnerability found in Splunk Enterprise and Splunk Cloud Platform. It allows low-privileged users, who do not have admin or power roles, to send server-side requests to arbitrary internal destinations by exploiting the Dashboard Studio PDF export feature.

The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com). Additionally, the PDF export service automatically follows HTTP redirects without re-validating each redirect target against the allowlist.

Impact Analysis

This vulnerability can have significant impacts including high confidentiality risk, as attackers may access internal resources or sensitive data by sending unauthorized server-side requests.

There is also a low risk to integrity and availability, meaning that while the attacker might not fully control or disrupt the system, some level of unauthorized access or minor disruption could occur.

Detection Guidance

There are no specific detections or commands provided by Splunk for identifying this vulnerability on your network or system.

Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to upgrade to the latest patched versions of Splunk Enterprise or Splunk Cloud Platform.

Compliance Impact

This vulnerability allows low-privileged users to send server-side requests to arbitrary internal destinations, potentially exposing sensitive internal data or systems.

Such unauthorized access or data exposure could lead to violations of confidentiality requirements mandated by common standards and regulations like GDPR and HIPAA.

Therefore, if exploited, this vulnerability may impact an organization's ability to maintain compliance with these regulations by compromising data confidentiality.

The recommended mitigation is to upgrade to patched versions to prevent exploitation and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20252. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart