CVE-2026-20260
Awaiting Analysis Awaiting Analysis - Queue
ANSI Escape Code Injection in Splunk SOAR

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: Cisco Systems, Inc.

Description
In Splunk SOAR (Security Orchestration, Automation, and Response) versions below 8.5.0, an unauthenticated attacker could inject American National Standards Institute (ANSI) escape codes into SOAR application log files through specially crafted HTTP request paths, which a terminal emulator might interpret when an administrator views the logs.<br><br>The injection is possible because SOAR does not strip control characters from HTTP request paths before writing them to application logs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-17
AI Q&A
2026-06-11
EPSS Evaluated
2026-06-16
NVD
CVE-2026-20260
EUVD
EUVD-2026-36087
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cisco splunk_soar to 8.5.0 (exc)
splunk soar to 8.5.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-117 The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-20260 is a vulnerability in Splunk SOAR versions below 8.5.0 where an unauthenticated attacker can inject ANSI escape codes into the application's log files by sending specially crafted HTTP request paths.

This happens because Splunk SOAR does not remove control characters from HTTP request paths before writing them to the logs.

When an administrator views these logs using a terminal emulator, the injected ANSI escape codes might be interpreted, potentially causing unintended behavior.

Impact Analysis

The vulnerability could lead to unintended behavior when administrators view the application logs, as the terminal emulator might interpret injected ANSI escape codes.

Since the attacker is unauthenticated and can inject these codes remotely via HTTP requests, this could be used to manipulate log display or potentially execute terminal commands depending on the environment.

However, the CVSS score of 4.3 (Medium) indicates that the impact is limited to integrity and does not affect confidentiality or availability.

Detection Guidance

No specific detection methods or commands have been provided by Splunk or in the available resources for identifying this vulnerability on your network or system.

Mitigation Strategies

The only available mitigation is to upgrade Splunk SOAR to version 8.5.0 or higher, where this vulnerability has been resolved.

No other mitigations or workarounds are currently available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20260. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart