Splunk Fixes Path Traversal, Credential Exposure and SPL Search Flaws


Splunk has released security updates for three vulnerabilities affecting Splunk Enterprise and Splunk Cloud Platform. The flaws could allow attackers to run unauthorized searches, write files outside an application directory or view stored credential hashes.

The vulnerabilities affect Splunk Web and REST API components. Their severity scores range from 5.3 to 8.3, with two rated High and one rated Medium.

Splunk Enterprise administrators should upgrade to a fixed release as soon as possible. One of the information disclosure flaws also requires a configuration change after the update.

Three Splunk vulnerabilities patched

CVEAdvisorySeverityCVSSPrimary risk
CVE-2026-20296SVD-2026-0702High8.3Arbitrary SPL searches through CSRF
CVE-2026-20297SVD-2026-0703High7.2Path traversal during app installation
CVE-2026-20298SVD-2026-0704Medium5.3Disclosure of stored credential hashes

The vulnerabilities do not share the same exploitation requirements. CVE-2026-20296 involves an unauthenticated attacker but requires phishing and user interaction. CVE-2026-20297 requires a user with two powerful app-management capabilities, while CVE-2026-20298 requires a low-privileged authenticated account.

CVE-2026-20296 allows unauthorized SPL searches

CVE-2026-20296 is the highest-rated of the three vulnerabilities. It affects Deployment Server endpoints in Splunk Web and carries a CVSS score of 8.3.

The flaw exists because the affected endpoints do not validate cross-site request forgery tokens for GET requests. Splunk also fails to correctly neutralize user-controlled input before placing it inside an SPL search.

An attacker could create a malicious link or webpage and convince a logged-in Splunk user to open it. The targeted user must hold a role containing the list_deployment_server capability.

If the phishing attempt succeeds, the malicious request could run arbitrary Search Processing Language searches on the user’s behalf. The searches execute as splunk-system-user, potentially giving the attacker access to indexed data and stored credentials.

The SPL vulnerability requires phishing

Despite the lack of an authentication requirement for the attacker, CVE-2026-20296 is not a fully automatic remote attack. A suitable Splunk user must open the attacker-controlled link or webpage in a browser.

The CVSS vector confirms that user interaction is required:

CVSS metricValue
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactHigh
Integrity impactHigh
Availability impactLow

Splunk states in its CVE-2026-20296 advisory that the attacker should not be able to exploit the flaw at will. The attacker must first identify and deceive a user with the required capability.

CVE-2026-20297 enables path traversal

CVE-2026-20297 is a path traversal vulnerability in the App Install REST endpoint. It has a CVSS score of 7.2 and can affect the confidentiality, integrity and availability of a Splunk deployment.

The vulnerable app installation workflow does not properly restrict the path supplied through the explicit_appname parameter. A malicious value could direct files outside the intended application folder.

Successful exploitation could write files into $SPLUNK_HOME/etc/ or one of its subdirectories. This location contains applications and configuration data that affect how Splunk Enterprise operates.

The attacker must have an authenticated Splunk role containing both of these capabilities:

  • edit_local_apps
  • install_apps

The user must also perform a valid application installation. CVE-2026-20297 does not provide an unauthenticated path into Splunk, but it could increase the impact of an account that already has app-management permissions.

Splunk 9.3 is affected by the path traversal flaw

CVE-2026-20297 has a wider Splunk Enterprise version range than the other two vulnerabilities. It also affects the 9.3 release branch.

The official path traversal advisory instructs organizations using Splunk Enterprise 9.3 to install version 9.3.14 or later.

Splunk Enterprise branchAffected versionsFixed version
10.410.4.010.4.1
10.210.2.0 through 10.2.410.2.5
10.010.0.0 through 10.0.710.0.8
9.49.4.0 through 9.4.129.4.13
9.39.3.0 through 9.3.139.3.14

The 9.3 branch does not appear in the affected-product lists for CVE-2026-20296 or CVE-2026-20298.

CVE-2026-20298 exposes stored credential hashes

CVE-2026-20298 is a medium-severity information disclosure vulnerability in the storage/passwords REST endpoint. It has a CVSS score of 5.3.

A low-privileged authenticated user without the Splunk admin or power role could access the endpoint through the | rest SPL command:

/servicesNS/-/-/storage/passwords

The endpoint incorrectly includes the encr_password field in its results. This exposes stored credential hashes to users who should not have permission to view them.

The vulnerability requires authentication and has high attack complexity. It does not allow an unauthenticated internet user to retrieve credentials directly.

Updating alone does not complete the CVE-2026-20298 fix

Splunk Enterprise administrators must complete three steps to address the credential disclosure issue. Installing a patched release forms only the first part of the procedure.

The Splunk information disclosure advisory instructs administrators to enable credential masking in limits.conf and restart the instance.

  1. Upgrade Splunk Enterprise to a fixed or newer version.
  2. Open the appropriate limits.conf configuration file.
  3. Add or update the following stanza and setting:
[storage_passwords_masking]
mask_encr_password = true
  1. Restart the Splunk Enterprise instance.
  2. Confirm that unauthorized roles can no longer retrieve the encr_password field.

Administrators should follow Splunk’s configuration-file precedence rules and avoid editing default files that an upgrade could overwrite.

Fixed Splunk Enterprise releases

Organizations running Splunk Enterprise should upgrade to the fixed release for their current branch or move to a newer supported version.

BranchMinimum fixed versionVulnerabilities addressed
10.410.4.1All three vulnerabilities
10.210.2.5All three vulnerabilities
10.010.0.8All three vulnerabilities
9.49.4.13All three vulnerabilities
9.39.3.14CVE-2026-20297 only

Security teams should confirm the version on every search head, deployment server and other relevant Splunk Enterprise component. Distributed environments may contain systems running different release branches.

Splunk Cloud Platform updates

All three vulnerabilities also affect selected Splunk Cloud Platform versions. Splunk says it is actively monitoring and patching affected cloud instances.

Cloud branchCVE-2026-20296 fixCVE-2026-20297 fixCVE-2026-20298 fix
10.5.260510.5.2605.010.5.2605.010.5.2605.0
10.4.260410.4.2604.710.4.2604.610.4.2604.6
10.3.251210.3.2512.16Not listed10.3.2512.15
10.2.251010.2.2510.1810.2.2510.1810.2.2510.18
10.1.250710.1.2507.2410.1.2507.2410.1.2507.24

Splunk Cloud customers should check their service status and contact Splunk Support if they need confirmation about the patch level of a specific environment.

Workarounds and immediate security steps

Organizations that cannot immediately patch CVE-2026-20296 can turn off Splunk Web on systems where the interface is not required. The vulnerability affects instances with Splunk Web enabled.

Administrators should also review roles that contain list_deployment_server, edit_local_apps or install_apps. Removing unnecessary capabilities reduces the number of accounts that could participate in the attack paths.

  • Upgrade every affected Splunk Enterprise instance.
  • Apply the credential-masking configuration for CVE-2026-20298.
  • Restart Splunk after changing limits.conf.
  • Disable Splunk Web where it is unnecessary.
  • Review users with deployment-server and app-installation capabilities.
  • Train privileged users to avoid untrusted links while signed in to Splunk.
  • Audit recent app installations and unexpected files under $SPLUNK_HOME/etc/.
  • Review unusual REST searches involving the credential-storage endpoint.

Security teams should prioritize deployment servers and systems that expose Splunk Web to broad user groups. They should also inspect recent role changes and app installations for unexpected activity.

FAQ

Which Splunk vulnerabilities were patched?

Splunk patched CVE-2026-20296, which enables unauthorized SPL searches through CSRF; CVE-2026-20297, a path traversal flaw in app installation; and CVE-2026-20298, which exposes stored credential hashes.

Can CVE-2026-20296 be exploited without authentication?

The attacker does not need a Splunk account, but exploitation requires phishing. A logged-in user with the list_deployment_server capability must open a malicious link or webpage.

Which versions of Splunk Enterprise fix the vulnerabilities?

Fixed releases include Splunk Enterprise 10.4.1, 10.2.5, 10.0.8 and 9.4.13. Version 9.3.14 fixes the path traversal vulnerability affecting the 9.3 branch.

Does upgrading completely fix CVE-2026-20298?

No. After upgrading, administrators must set mask_encr_password = true under the [storage_passwords_masking] stanza in limits.conf and restart Splunk Enterprise.

What is the workaround for CVE-2026-20296?

Organizations that cannot patch immediately can turn off Splunk Web on instances where the web interface is not required.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages