Multiple Splunk Enterprise Vulnerabilities Enable Path Traversal and Information Disclosure Attacks
Splunk has released security updates addressing multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform.
These flaws could lead to issues such as path traversal, disclosure of stored credential hashes, and arbitrary execution of SPL (Search Processing Language) searches. Three security vulnerabilities affecting both Splunk Enterprise and Splunk Cloud Platform have been patched.
These issues impact the REST API and Splunk Web components, potentially allowing authorized users or phishing attackers to access sensitive data, write files to unintended directories, or execute arbitrary searches.
Multiple Splunk Enterprise Vulnerabilities
The most critical vulnerability, tracked as CVE-2026-20296 (SVD-2026-0702), has a CVSS score of 8.3. It impacts the Deployment Server component within Splunk Web.
An unauthenticated attacker could exploit this flaw by tricking a user with the list_deployment_server capability into opening a malicious link or webpage.
This attack takes advantage of the lack of CSRF (Cross-Site Request Forgery) validation on GET requests and insufficient handling of user-controlled input in SPL searches.
If successfully exploited, attackers could execute arbitrary SPL searches as the splunk-system-user, potentially exposing indexed data and stored credentials.
However, this exploitation requires user interaction; thus, an attacker cannot trigger the issue remotely without first phishing the target.
Additionally, CVE-2026-20297 (SVD-2026-0703) is a high-severity path traversal vulnerability rated with a CVSS score of 7.2. This issue exists in the App Install REST endpoint and involves the explicit_appname parameter.
A user with both edit_local_apps and install_apps capabilities could exploit this flaw during a valid app installation.
The vulnerable workflow could allow files to be written outside the intended application directory and into the $SPLUNK_HOME/etc/ directory or its subdirectories, which could affect application configurations and other sensitive Splunk files.
Lastly, CVE-2026-20298 (SVD-2026-0704) is a medium-severity information disclosure issue rated 5.3. A low-privileged user without admin or power roles could access the /servicesNS/-/-/storage/passwords REST endpoint through the | rest SPL command.
This endpoint could return the encr_password field, which exposes stored credential hashes to unauthorized users. While the flaw requires authentication and has a high attack complexity rating, the exposed hashes could facilitate offline password-cracking attempts or further compromise.
Splunk Enterprise users are advised to upgrade to the following fixed releases: 10.4.1, 10.2.5, 10.0.8, 9.4.13, or later. The path traversal issue also affects the 9.3 branch, which requires version 9.3.14.
For CVE-2026-20298, administrators must configure limits.conf with mask_encr_password = true under the [storage_passwords_masking] stanza, and then restart Splunk Enterprise.
Splunk Cloud Platform customers are being patched and monitored by Splunk. For CVE-2026-20296, organizations that cannot update immediately can reduce their exposure by disabling Splunk Web where it is not needed.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Multiple Splunk Enterprise Vulnerabilities Enable Path Traversal and Information Disclosure Attacks appeared first on Cyber Security News.
Abinaya
Go to cyber-security-news