PatchSiren cyber security CVE debrief

CVE-2026-20255 Splunk CVE debrief

A vulnerability was found in Splunk Enterprise and Splunk Cloud Platform. The issue allows a low-privileged user to craft a malicious classic dashboard that can exfiltrate sensitive data to an external server. This is possible due to incomplete URL validation on the external content dialog, which can allow requests to untrusted domains when a user interacts with a crafted dashboard.

Vendor: Splunk
Product: Splunk Enterprise
CVSS: MEDIUM 5.7
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-10
Advisory published: 2026-06-10
Advisory updated: 2026-06-10

Who should care

Administrators and users of Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132 should be aware of this vulnerability.

Technical summary

The vulnerability exists in Splunk Enterprise and Splunk Cloud Platform due to incomplete URL validation on the external content dialog. This allows a low-privileged user, who does not hold the 'admin' or 'power' Splunk roles, to craft a malicious classic dashboard. When interacted with, this dashboard can exfiltrate sensitive data to an external server.

Defensive priority

MEDIUM

Recommended defensive actions

Update Splunk Enterprise to version 10.2.4, 10.0.7, 9.4.12, or 9.3.13, or later.
Update Splunk Cloud Platform to version 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, or 9.3.2411.132, or later.
Restrict access to sensitive data and dashboards.
Monitor dashboard interactions for suspicious activity.

Evidence notes

The CVE-2026-20255 vulnerability was found in Splunk Enterprise and Splunk Cloud Platform. The Common Vulnerability Scoring System (CVSS) score is 5.7, indicating a medium severity.

Official resources

CVE-2026-20255 was published on [2026-06-10T18:16:41.010Z].