CVE-2026-20252— Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 9
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Splunk | Splunk Cloud Platform | 10.4.2604< 10.4.2604.3 | affected |
10.3.2512< 10.3.2512.12 | affected | ||
10.2.2510< 10.2.2510.14 | affected | ||
10.1.2507< 10.1.2507.22 | affected | ||
9.3.2411< 9.3.2411.132 | affected | ||
| Splunk | Splunk Enterprise | 10.2< 10.2.4 | affected |
10.0< 10.0.7 | affected | ||
9.4< 9.4.12 | affected | ||
9.3< 9.3.13 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-20252
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
服务端请求伪造(SSRF)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Splunk Cloud Platform和Splunk Enterprise 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Splunk Cloud Platform和Splunk Enterprise都是美国Splunk公司的产品。Splunk Cloud Platform是一个强大的数据收集、处理和分析服务。Splunk Enterprise是一套数据收集分析软件。 Splunk Cloud Platform和Splunk Enterprise存在代码问题漏洞,该漏洞源于受信任域验证使用前缀匹配且PDF导出服务自动跟随HTTP重定向,可能导致低权限用户通过Dashboard Studio PDF导出功能向任意内部目标发送服
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Splunk | Splunk Enterprise | 10.2 ~ 10.2.4 | - | |
| Splunk | Splunk Cloud Platform | 10.4.2604 ~ 10.4.2604.3 | - |
II. Public POCs for CVE-2026-20252
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-20252
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-20252 (1)
Same Patch Batch · Splunk · 2026-06-10 · 10 CVEs total
| CVE-2026-20253 | 9.8 CRITICAL | Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service End |
| CVE-2026-20251 | 8.8 HIGH | Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway |
| CVE-2026-20258 | 7.1 HIGH | Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise |
| CVE-2026-20254 | 5.7 MEDIUM | Information Disclosure through External Content Restriction Bypass in Splunk Enterprise |
| CVE-2026-20257 | 5.7 MEDIUM | Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise |
| CVE-2026-20255 | 5.7 MEDIUM | Improper Input Validation through Classic Dashboards in Splunk Enterprise |
| CVE-2026-20256 | 5.7 MEDIUM | Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk En |
| CVE-2026-20259 | 5.5 MEDIUM | Improper Access Control in Splunk Enterprise |
| CVE-2026-20260 | 4.3 MEDIUM | Log Injection through HTTP Request Paths in Splunk SOAR |
IV. Related Vulnerabilities
Same product: Splunk Enterprise
- CVE-2026-20258
Stored Cross-Site Scripting (XSS) through Classic Dashboard - CVE-2026-20253
Unauthenticated Arbitrary File Creation and Truncation in a - CVE-2026-20257
Improper Input Validation through Classic Dashboard CSS in S - CVE-2026-20259
Improper Access Control in Splunk Enterprise - CVE-2026-20255
Improper Input Validation through Classic Dashboards in Splu
Same vendor: Splunk
- CVE-2026-20266
OS Command Injection in the btool Configuration Helper in Sp - CVE-2026-20265
Insecure Default Domain Allowlist in Splunk AI Toolkit - CVE-2026-20258
Stored Cross-Site Scripting (XSS) through Classic Dashboard - CVE-2026-20253
Unauthenticated Arbitrary File Creation and Truncation in a - CVE-2026-20260
Log Injection through HTTP Request Paths in Splunk SOAR
Same weakness: CWE-918
- CVE-2026-49345
Mercator CVE Configuration Vulnerable to Server-Side Request - CVE-2026-12726
Awx: automation-controller: awx: github webhook second-order - CVE-2026-49359
PhpWeasyPrint vulnerable to SSRF and local file disclosure v - CVE-2026-11989
Bit integrations <= 2.8.7 - Unauthenticated Server-Side Requ - CVE-2026-4328
Advanced Import: One-Click Demo Import for WordPress <= 1.4.
V. Comments for CVE-2026-20252
No comments yet