CVE-2026-20254: Splunk CSS Injection Enables Credential Exfiltration via Malicious Dashboards
A vulnerability in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users to create malicious dashboards that steal sensitive data when viewed by administrators or power users. The attack works by injecting CSS code into dashboard styling that bypasses Splunk's security controls designed to prevent outbound connections to untrusted servers. An attacker without admin privileges can craft a specially designed 'classic' dashboard that, when opened by someone with higher permissions, silently sends sensitive information—including credentials—to a server they control.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-20
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that exfiltrates sensitive data to an external server when a higher-privileged user views it, bypassing the external content restriction through a Cascading Style Sheets (CSS) injection.<br><br>The Trusted Domains security check does not fully validate inline style attribute values, which can allow for outbound requests to untrusted domains and credential exfiltration when a victim views a crafted dashboard.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-20254 is a CSS injection vulnerability in Splunk's dashboard functionality that circumvents the Trusted Domains security check. The flaw exists in how inline style attribute values are validated; specifically, attackers can inject CSS properties that trigger outbound HTTP requests to external, untrusted domains. When a user with elevated privileges (admin or power role) views the malicious classic dashboard, the injected CSS executes in their security context, enabling data exfiltration. The vulnerability affects Splunk Enterprise versions before 10.2.4, 10.0.7, 9.4.12, and 9.3.13, as well as Splunk Cloud Platform versions before 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132.
Business impact
This vulnerability creates a privilege escalation and data exfiltration risk. Attackers with basic Splunk access can compromise higher-privileged accounts and extract sensitive data—potentially including authentication tokens, configuration secrets, and business intelligence stored within Splunk. Organizations that share dashboard libraries or permit user-generated dashboards face heightened risk, as a single malicious dashboard could be viewed by multiple administrators, multiplying the exposure. The attack requires no advanced technical knowledge and leaves minimal audit trails if not actively monitored.
Affected systems
Splunk Enterprise versions: below 10.2.4, 10.0.7, 9.4.12, and 9.3.13. Splunk Cloud Platform versions: below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132. Any organization running these versions with classic dashboards and dashboard-sharing workflows is vulnerable. Cloud-based Splunk deployments may be patched automatically by Splunk; on-premises Enterprise customers must manually apply updates.
Exploitability
Exploitability is straightforward. An attacker needs only basic Splunk user access (no admin role required) and the ability to create or modify a classic dashboard—a common feature in Splunk environments. The attack is triggered passively when a victim with higher privileges simply views the dashboard; no additional user interaction beyond normal dashboard viewing is required. There is no public exploit code reported, but the attack surface is broad in organizations where dashboard creation is delegated to multiple users. The CVSS score of 5.7 (MEDIUM) reflects that while impact is high (credential/data exfiltration), exploitation requires a low-privilege user account and relies on social engineering (convincing an admin to view the dashboard).
Remediation
Update affected Splunk instances immediately to patched versions. For Splunk Enterprise, upgrade to version 10.2.4, 10.0.7, 9.4.12, or 9.3.13 or later (depending on your current version branch). For Splunk Cloud Platform, ensure you are running 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, or 9.3.2411.132 or later. Cloud customers should verify patching status with Splunk's dashboard or support. As an interim mitigation, restrict dashboard creation and editing permissions to trusted administrators only, and educate users not to open dashboards from untrusted sources. Monitor outbound connections from your Splunk infrastructure for unexpected external domain requests.
Patch guidance
Splunk has released patches for all affected versions. On-premises Enterprise customers should prioritize upgrades in this order: 1) Production instances running 9.3.x, 9.4.x, 10.0.x, or 10.2.x; 2) Non-production instances; 3) Lab/dev environments. Test patches in a non-production environment before deployment to ensure compatibility with custom apps and dashboards. Splunk Cloud customers should verify patch status through their cloud console—Splunk may apply updates automatically, but confirmation is recommended. No rollback complications are expected; patches are backward-compatible.
Detection guidance
Audit the Splunk audit logs for dashboard creation or modification events by low-privileged users, particularly any changes to classic dashboards. Search for CSS-related changes in dashboard XML (look for inline 'style' attributes with unusual property values). Monitor HTTP access logs and firewall egress logs for outbound connections from Splunk instances to unexpected external domains, especially over ports 80/443 with suspicious User-Agent strings or timing patterns. Enable Splunk's data lineage and access logging features to track which dashboards were viewed and by whom. Set up alerts on any new external domain lookups initiated from the Splunk search head or indexer tier.
Why prioritize this
Although CVSS assigns this a MEDIUM score, context elevates urgency: (1) The attack is trivial to execute and requires only basic user access; (2) It directly targets high-value victims (admins/power users) who can access sensitive data and configurations; (3) Credential exfiltration has cascading risk across your infrastructure; (4) The attack is hard to detect without active monitoring. Organizations with shared dashboards, SOC teams, or multi-tenant Splunk deployments should treat this as HIGH priority. Patch within 30 days for most environments; within 7–14 days if dashboards are frequently shared across user groups.
Risk score, explained
The CVSS 3.1 score of 5.7 reflects a Medium severity. The vector (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) indicates network attack vector, low complexity, low privilege requirements, required user interaction (victim viewing the dashboard), no scope change, high confidentiality impact (data exfiltration), no integrity or availability impact. The score undershoots actual organizational risk because it does not account for the downstream value of compromised admin credentials or the likelihood that Splunk holds business-critical data. Adjust internal risk ratings upward if Splunk is used for security monitoring, compliance, or secrets storage.
Frequently asked questions
Can an attacker execute arbitrary code on my Splunk instance?
No. This vulnerability is limited to CSS injection and data exfiltration via outbound HTTP requests. It does not allow remote code execution or modification of Splunk configuration or data. However, exfiltrated credentials could be used to gain deeper access post-compromise.
Do I need to remove or audit existing dashboards?
Yes, conduct a review. Identify which dashboards were created or recently modified by low-privileged users, especially classic dashboards. Inspect the XML for suspicious inline style attributes or CSS properties that reference external domains. Focus on dashboards shared with admin or power users. Removal is not necessary if patching is complete, but retention of malicious dashboards increases residual risk.
Will Splunk Cloud Platform be automatically patched?
Splunk typically rolls out cloud patches on a schedule, but timing varies by instance. Check your Splunk Cloud console for the running version and compare it against the patched versions listed in the advisory. Contact Splunk Support if your instance has not been updated to a patched version within 30 days of the patch release date.
Is this vulnerability exploited in the wild?
As of the published date (June 2026), this vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no widespread active exploitation has been confirmed. However, the low barrier to exploitation means you should not assume it is unused by threat actors. Patching promptly is still critical.
This analysis is based on official vendor advisories and CVE metadata current as of the publication date. Patch version numbers and affected version ranges must be verified against Splunk's official security advisory before deployment. This vulnerability does not appear on CISA's KEV catalog as of the analysis date. Organizations should conduct their own risk assessment based on their Splunk deployment architecture, data sensitivity, and user access patterns. This explainer is provided for informational purposes and does not constitute professional security advice or a guarantee of remediation success. Always test patches in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-20255MEDIUMSplunk Dashboard URL Validation Bypass – Data Exfiltration Risk
- CVE-2026-20256MEDIUMSplunk Dashboard URL Validation Vulnerability – Protocol-Relative URL Bypass
- CVE-2026-20257MEDIUMSplunk Dashboard Data Exfiltration via Style Attribute Bypass
- CVE-2025-5089MEDIUMArista EOS/CVX DoS via Malformed Messages
- CVE-2025-5090MEDIUMCVX CVE-2025-5090: Input Validation Flaw Leads to Agent Crashes and Denial of Service
- CVE-2026-0018MEDIUMAndroid AccessibilityManagerService Denial of Service Vulnerability
- CVE-2026-0051MEDIUMAndroid UBSan Runtime Denial of Service Vulnerability
- CVE-2026-0070MEDIUMAndroid DevicePolicyManagerService Local Denial of Service Vulnerability