CVE-2026-20252: Splunk SSRF in Dashboard Studio PDF Export – Full Analysis
A vulnerability in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users to make unauthorized server-side requests to internal systems through the PDF export feature in Dashboard Studio. The flaw stems from weak validation of trusted domains—attackers can bypass the allowlist by registering subdomains (e.g., docs.splunk.com.evil.com) and leveraging automatic HTTP redirect following to reach unintended targets. An authenticated user without admin or power roles can exploit this to probe or attack internal infrastructure.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
- Weaknesses (CWE)
- CWE-918
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-20252 is a Server-Side Request Forgery (SSRF) vulnerability in Splunk's Dashboard Studio PDF export functionality. The root causes are twofold: (1) the trusted-domain validation uses a prefix match rather than strict domain comparison, allowing an attacker to register a subdomain that starts with a whitelisted domain; and (2) the PDF export service automatically follows HTTP 3xx redirects without re-validating each redirect target against the allowlist. This combination permits a low-privileged, authenticated user to send requests to arbitrary internal destinations by crafting a malicious PDF export request that references an attacker-controlled domain or leveraging redirects to exfiltrate data or interact with internal services.
Business impact
This vulnerability enables lateral movement and reconnaissance within networked Splunk deployments. An attacker with basic Splunk credentials can probe internal IP ranges, access unprotected internal APIs, or exfiltrate data from services that trust the Splunk instance. In environments where Splunk has broad network access or sits on the same network segment as sensitive databases, logging systems, or administrative interfaces, the risk of data breach or unauthorized configuration changes is elevated. The low barrier to entry (requiring only basic authentication) amplifies exposure in organizations with loose credential management.
Affected systems
Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 are vulnerable. Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132 are affected. The vulnerability requires Dashboard Studio to be in use and the PDF export feature to be accessible to the affected user.
Exploitability
Exploitability is moderate to high. The attack requires valid Splunk credentials (low-privileged accounts suffice), but no admin or power role is necessary. The attacker must craft a dashboard and invoke the PDF export feature, which is a standard UI action. The bypass techniques—subdomain registration and HTTP redirect chaining—are straightforward to execute. No user interaction is required beyond the attacker's own authenticated session. However, the attacker must have some visibility into the target environment's internal network topology to maximize impact.
Remediation
Upgrade Splunk Enterprise to version 10.2.4, 10.0.7, 9.4.12, or 9.3.13 or later (depending on your current branch). Upgrade Splunk Cloud Platform to version 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, or 9.3.2411.132 or later. As an interim control, restrict PDF export feature access to trusted roles only and limit which users have Splunk authentication credentials. Network segmentation to isolate Splunk instances from sensitive internal systems is also recommended.
Patch guidance
Splunk has released patched versions for each supported branch. Determine your current Splunk version and apply the minimum patched version for your branch: for Enterprise on 10.x, upgrade to 10.2.4 or 10.0.7; for 9.x, upgrade to 9.4.12 or 9.3.13. For Cloud Platform customers, consult your account team or the Splunk Cloud Platform advisory for your instance's applicable version. Test patches in a non-production environment first to validate compatibility with custom dashboards and integrations.
Detection guidance
Monitor Splunk access logs and API audit trails for unusual PDF export requests, particularly those referencing unfamiliar or suspicious domains. Watch for requests that include URL-encoded domain names or patterns resembling subdomain enumeration (e.g., *.splunk.com.evil.com). Network-layer detection should focus on outbound connections from Splunk instances to internal IP ranges or suspicious external domains initiated by PDF export processes. Enable HTTP proxy or WAF logging if Splunk egress traffic is proxied.
Why prioritize this
This vulnerability merits immediate patching due to its HIGH CVSS score (7.6), low privilege requirement, and direct enablement of internal reconnaissance and lateral movement. The ease of exploitation—requiring only standard dashboard functionality—and the breadth of affected versions (multiple branches of both Enterprise and Cloud) amplify urgency. Organizations operating Splunk in multi-tenant or security-sensitive environments should treat this as critical.
Risk score, explained
The CVSS 3.1 score of 7.6 (HIGH) reflects a network-accessible vulnerability requiring low authentication privileges, no user interaction, and high confidentiality impact. The score appropriately weights the SSRF impact on internal systems. Within your environment, risk escalates if Splunk has broad network access, hosts sensitive data, or sits near critical infrastructure. Risk de-escalates if access to Dashboard Studio is tightly controlled or if network segmentation isolates Splunk from sensitive assets.
Frequently asked questions
Do I need to have admin rights to exploit this vulnerability?
No. The vulnerability requires only basic Splunk authentication; the attacker does not need admin or power roles. Any low-privileged user account can trigger the PDF export feature and exploit the SSRF weakness.
Can this vulnerability be exploited without accessing the Splunk UI?
The attack is most straightforward via the Dashboard Studio UI, but the underlying PDF export API endpoint could potentially be invoked programmatically. Either way, valid Splunk credentials are mandatory.
How does the subdomain bypass work?
The trusted-domain validation checks if the requested domain *starts with* a whitelisted domain (prefix match) rather than validating exact domain ownership. An attacker can register attacker-controlled.splunk.com.evil.com, which passes the prefix check for 'splunk.com' but actually resolves to attacker infrastructure.
Is Splunk Cloud Platform more or less vulnerable than Splunk Enterprise?
Both are equally vulnerable in principle; the vulnerability affects multiple versions of both. Splunk Cloud customers may have reduced network exposure to internal infrastructure outside the Cloud Platform, but those with private-link or VPC-peering integrations could still be at risk.
This analysis is provided for informational purposes only and does not constitute legal, compliance, or professional security advice. Exploit details are intentionally abstracted to prevent weaponization. All version numbers and patch guidance are sourced from official Splunk advisories; verify against your vendor's latest security bulletins before deploying patches. Your organization's risk posture depends on network topology, access controls, and data sensitivity; consult your security team for environment-specific remediation priorities. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and assumes no liability for misuse or unauthorized access attempts. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10068HIGHSSRF in Shibby Tomato 1.28 miniupnpd (Unmaintained)
- CVE-2026-10107HIGHMoviePilot v2 SSRF in Image Proxy Allows Internal Network Access
- CVE-2026-10280HIGHServer-Side Request Forgery in Horizon921 mcpilot 0.1.0
- CVE-2026-10287HIGHSSRF in SourceCodester SEO Meta Tag Extractor 1.0
- CVE-2026-10586HIGHGutenberg Essential Blocks SSRF Vulnerability – High Risk Server-Side Request Forgery
- CVE-2026-10771HIGHCRMEB Java SSRF Vulnerability in QR Code Endpoint
- CVE-2026-11437HIGHServer-Side Request Forgery in go-fastdfs-web 1.3.7 and Earlier
- CVE-2026-42398HIGHKibana Webhook SSRF Vulnerability—Egress Allowlist Bypass