CVE-2026-20254
Analyzed Analyzed - Analysis Complete
Splunk Enterprise CSS Injection Vulnerability

Publication date: 2026-06-10

Last updated on: 2026-06-15

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-15
Generated
2026-06-17
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-16
NVD
CVE-2026-20254
EUVD
EUVD-2026-36081
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.7 (exc)
splunk splunk From 10.2.0 (inc) to 10.2.4 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.13 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.12 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.132 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.23 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.15 (exc)
splunk splunk_cloud_platform From 10.3.2512 (inc) to 10.3.2512.13 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20254 is a medium-severity vulnerability in Splunk Enterprise and Splunk Cloud Platform that allows a low-privileged user, who does not have 'admin' or 'power' roles, to create a malicious classic dashboard. This dashboard can exfiltrate sensitive data to an external server when viewed by a higher-privileged user.

The vulnerability arises because the Trusted Domains security check does not fully validate inline style attribute values in Cascading Style Sheets (CSS). This flaw enables outbound requests to untrusted domains and credential exfiltration through CSS injection.

Impact Analysis

This vulnerability can lead to sensitive data being exfiltrated from your Splunk environment without authorization. Specifically, when a higher-privileged user views a malicious dashboard created by a low-privileged user, sensitive information and credentials can be sent to an external, untrusted server.

This can result in information disclosure and potential compromise of user credentials, increasing the risk of further unauthorized access or data breaches.

Detection Guidance

Detection of this vulnerability involves identifying if your Splunk Enterprise or Splunk Cloud Platform versions are below the patched versions listed, and monitoring for unusual outbound requests from dashboards.

Specifically, you can check the Splunk version by running the following command on your Splunk server:

  • splunk version

To detect potential exploitation, monitor network traffic for outbound requests to untrusted domains originating from Splunk dashboard components, especially CSS inline styles.

You can use network monitoring tools or commands such as:

  • tcpdump -i <interface> host <splunk_server_ip> and dst port 80 or 443
  • or use Splunk's internal logs to search for unusual dashboard activity or external requests.

Additionally, review dashboard permissions to identify if low-privileged users have dashboard creation rights.

Mitigation Strategies

Immediate mitigation steps include upgrading your Splunk Enterprise or Splunk Cloud Platform to the patched versions or higher.

If upgrading immediately is not possible, you should:

  • Configure the Dashboards Trusted Domains List to restrict outbound requests to only trusted domains.
  • Restrict dashboard creation permissions to specific trusted roles, preventing low-privileged users from creating dashboards.

These steps help prevent malicious dashboards from exfiltrating sensitive data via CSS injection.

Compliance Impact

This vulnerability allows a low-privileged user to exfiltrate sensitive data to an external server by bypassing external content restrictions through CSS injection. Such unauthorized disclosure of sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information. Organizations using affected Splunk versions may face compliance risks if sensitive data is exposed due to this vulnerability.

Mitigations such as upgrading to patched versions, configuring the Dashboards Trusted Domains List, and restricting dashboard creation permissions can help reduce the risk of data exfiltration and support compliance efforts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20254. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart