CVE-2026-20256
Analyzed Analyzed - Analysis Complete

Stored XSS via Protocol-Relative URL in Splunk Enterprise Classic Dashboards

Vulnerability report for CVE-2026-20256, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-10

Last updated on: 2026-06-15

Assigner: Cisco Systems, Inc.

Description

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-15
Generated
2026-07-07
AI Q&A
2026-06-10
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.7 (exc)
splunk splunk From 10.2.0 (inc) to 10.2.4 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.13 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.12 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.132 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.23 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.15 (exc)
splunk splunk_cloud_platform From 10.3.2512 (inc) to 10.3.2512.13 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

This vulnerability can lead to data exfiltration by tricking users into visiting malicious external sites without warning. Since low-privileged users can exploit this flaw, sensitive information could be exposed or leaked. The CVSS score indicates a medium severity with high confidentiality impact, meaning the confidentiality of data is at risk, although integrity and availability are not affected.

Executive Summary

CVE-2026-20256 is a vulnerability in Splunk Enterprise and Splunk Cloud Platform affecting classic dashboards. It allows a low-privileged user, who does not have 'admin' or 'power' roles, to cause data exfiltration by redirecting a victim to an external site. This happens because the URL classifier in classic dashboards only recognizes URLs starting with 'http://' or 'https://'. However, protocol-relative URLs like '//attacker.com' bypass this check, and Splunk Web does not show any external-navigation warning to the victim.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Splunk Enterprise or Splunk Cloud Platform to the patched versions.

  • Upgrade to Splunk Enterprise versions 10.2.4 or later, 10.0.7 or later, 9.4.12 or later, or 9.3.13 or later.
  • Upgrade to Splunk Cloud Platform versions 10.3.2512.13 or later, 10.2.2510.15 or later, 10.1.2507.23 or later, or 9.3.2411.132 or later.
  • Configure the Dashboards Trusted Domains List to restrict external domains.
  • Limit dashboard creation permissions to trusted roles only.
Detection Guidance

Splunk has not provided specific detection methods or commands to identify this vulnerability on your network or system.

Compliance Impact

This vulnerability allows low-privileged users to exfiltrate data by redirecting victims to external sites without proper warnings, potentially leading to unauthorized disclosure of sensitive information.

Such unauthorized data exfiltration can impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access and disclosure.

Organizations using affected versions of Splunk Enterprise or Splunk Cloud Platform should apply patches or mitigation measures to prevent data leaks and maintain compliance with these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20256. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart