{"id":14345,"date":"2026-07-16T10:04:20","date_gmt":"2026-07-16T10:04:20","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/16\/multiple-splunk-enterprise-vulnerabilities-enable-path-traversal-and-information-disclosure-attacks\/"},"modified":"2026-07-16T10:04:20","modified_gmt":"2026-07-16T10:04:20","slug":"multiple-splunk-enterprise-vulnerabilities-enable-path-traversal-and-information-disclosure-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/16\/multiple-splunk-enterprise-vulnerabilities-enable-path-traversal-and-information-disclosure-attacks\/","title":{"rendered":"Multiple Splunk Enterprise Vulnerabilities Enable Path Traversal and Information Disclosure Attacks"},"content":{"rendered":"<p>    Multiple Splunk Enterprise Vulnerabilities Enable Path Traversal and Information Disclosure Attacks<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">Splunk has released security updates addressing multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform.<\/p>\n<p class=\"wp-block-paragraph\">These flaws could lead to issues such as path traversal, disclosure of stored credential hashes, and <a href=\"https:\/\/cybersecuritynews.com\/splunk-secure-gateway-deserialization-rce-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">arbitrary execution of SPL (Search Processing Language)<\/a> searches. Three security vulnerabilities affecting both Splunk Enterprise and Splunk Cloud Platform have been patched.<\/p>\n<p class=\"wp-block-paragraph\">These issues impact the REST API and Splunk Web components, potentially allowing authorized users or phishing attackers to access sensitive data, write files to unintended directories, or execute arbitrary searches.<\/p>\n<h2 id=\"h-multiple-splunk-enterprise-vulnerabilities\" class=\"wp-block-heading\"><strong>Multiple Splunk Enterprise Vulnerabilities<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">The most critical vulnerability, tracked as CVE-2026-20296 (<a href=\"https:\/\/advisory.splunk.com\/advisories\/SVD-2026-0702\" target=\"_blank\" rel=\"noreferrer noopener\">SVD-2026-0702<\/a>), has a CVSS score of 8.3. It impacts the Deployment Server component within Splunk Web.<\/p>\n<p class=\"wp-block-paragraph\">An unauthenticated attacker could exploit this flaw by tricking a user with the <code>list_deployment_serve<\/code>r capability into opening a malicious link or webpage.<\/p>\n<p class=\"wp-block-paragraph\">This attack takes advantage of the lack of CSRF (Cross-Site Request Forgery) validation on GET requests and insufficient handling of user-controlled input in SPL searches.<\/p>\n<p class=\"wp-block-paragraph\">If successfully exploited, attackers could execute arbitrary SPL searches as the splunk-system-user, potentially <a href=\"https:\/\/cybersecuritynews.com\/splunk-ai-toolkit-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">exposing indexed data and stored credentials.<\/a><\/p>\n<p class=\"wp-block-paragraph\">However, this exploitation requires user interaction; thus, an attacker cannot trigger the issue remotely without first phishing the target.<\/p>\n<p class=\"wp-block-paragraph\">Additionally, CVE-2026-20297 (<a href=\"https:\/\/advisory.splunk.com\/advisories\/SVD-2026-0703\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">SVD-2026-0703<\/a>) is a high-severity path traversal vulnerability rated with a CVSS score of 7.2. This issue exists in the App Install REST endpoint and involves the explicit_appname parameter.<\/p>\n<p class=\"wp-block-paragraph\">A user with both edit_local_apps and install_apps capabilities could exploit this flaw during a valid app installation.<\/p>\n<p class=\"wp-block-paragraph\">The vulnerable workflow could allow files to be written outside the intended application directory and into the $SPLUNK_HOME\/etc\/ directory or its subdirectories, which could affect application configurations and other sensitive Splunk files.<\/p>\n<p class=\"wp-block-paragraph\">Lastly, CVE-2026-20298 (<a href=\"https:\/\/advisory.splunk.com\/advisories\/SVD-2026-0704\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">SVD-2026-0704<\/a>) is a medium-severity information disclosure issue rated 5.3. A low-privileged user without admin or power roles could access the<code> \/servicesNS\/-\/-\/storage\/passwords<\/code> REST endpoint through the <code>| rest<\/code> SPL command.<\/p>\n<p class=\"wp-block-paragraph\">This endpoint could return the <code>encr_password<\/code> field, which exposes stored credential hashes to unauthorized users. While the flaw requires authentication and has a high attack complexity rating, the exposed hashes could facilitate offline password-cracking attempts or further compromise.<\/p>\n<p class=\"wp-block-paragraph\">Splunk Enterprise users are advised to upgrade to the following fixed releases: 10.4.1, 10.2.5, 10.0.8, 9.4.13, or later. The path traversal issue also affects the 9.3 branch, which requires version 9.3.14.<\/p>\n<p class=\"wp-block-paragraph\">For CVE-2026-20298, administrators must configure limits.conf with <code>mask_encr_password = true<\/code> under the [storage_passwords_masking] stanza, and then restart Splunk Enterprise.<\/p>\n<p class=\"wp-block-paragraph\">Splunk Cloud Platform customers are being <a href=\"https:\/\/cybersecuritynews.com\/splunk-patches-multiple-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">patched and monitored by Splunk<\/a>. For CVE-2026-20296, organizations that cannot update immediately can reduce their exposure by disabling Splunk Web where it is not needed.<\/p>\n<p class=\"has-text-align-center has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt;\u00a0<a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Integrate ANY.RUN With Your SOC\u00a0<\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/multiple-splunk-enterprise-vulnerabilities-patched\/\">Multiple Splunk Enterprise Vulnerabilities Enable Path Traversal and Information Disclosure Attacks<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/multiple-splunk-enterprise-vulnerabilities-patched\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Multiple Splunk Enterprise Vulnerabilities Enable Path Traversal and Information Disclosure Attacks Splunk has released security updates addressing multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. These flaws could lead to issues such as path traversal, disclosure of stored credential hashes, and arbitrary execution of SPL (Search Processing Language) searches. Three security vulnerabilities affecting both [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,416],"tags":[130],"class_list":["post-14345","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerabilities","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14345"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=14345"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/14345\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=14345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=14345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=14345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}