CVE-2026-20252 Splunk CVE debrief

Who should care

Users of Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132 should apply the necessary patches to prevent exploitation.

Technical summary

The vulnerability is caused by a prefix match in the trusted-domain validation and the automatic following of HTTP redirects by the PDF export service without re-validation. This allows a low-privileged user to send server-side requests to arbitrary internal destinations.

Defensive priority

HIGH

Recommended defensive actions

• Apply patches for Splunk Enterprise versions: 10.2.4, 10.0.7, 9.4.12, and 9.3.13
• Apply patches for Splunk Cloud Platform versions: 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132
• Restrict access to the Dashboard Studio PDF export feature to only trusted users

Evidence notes

The CVE-2026-20252 vulnerability was identified in Splunk Enterprise and Splunk Cloud Platform. The vulnerability allows a low-privileged user to send server-side requests to arbitrary internal destinations.

Official resources