7.6
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature.
The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.
The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.
Basic Information
ID
CVE-2026-20252
Source
cisco
Published
Jun 10, 2026 at 17:16
Modified
Jun 10, 2026 at 18:23
Affected Product
Vendor
Splunk
Product
Splunk Enterprise
Version
10.2
Affected Versions
Splunk Splunk Enterprise 10.2
Splunk Splunk Enterprise 10.0
Splunk Splunk Enterprise 9.4
Splunk Splunk Enterprise 9.3
Splunk Splunk Cloud Platform 10.4.2604
Splunk Splunk Cloud Platform 10.3.2512
Splunk Splunk Cloud Platform 10.2.2510
Splunk Splunk Cloud Platform 10.1.2507
Splunk Splunk Cloud Platform 9.3.2411
Splunk Splunk Enterprise 10.0
Splunk Splunk Enterprise 9.4
Splunk Splunk Enterprise 9.3
Splunk Splunk Cloud Platform 10.4.2604
Splunk Splunk Cloud Platform 10.3.2512
Splunk Splunk Cloud Platform 10.2.2510
Splunk Splunk Cloud Platform 10.1.2507
Splunk Splunk Cloud Platform 9.3.2411