MEDIUM 5.7

CVE-2026-20256: Splunk Dashboard URL Validation Vulnerability – Protocol-Relative URL Bypass

A vulnerability in Splunk Enterprise and Splunk Cloud Platform allows a low-privileged user without admin or power roles to trick other users into visiting attacker-controlled websites through specially crafted dashboard links. The flaw exploits a gap in URL validation: Splunk's security check only blocks URLs starting with 'http://' or 'https://', but misses protocol-relative URLs like '//attacker.com'. When a victim clicks a malicious drill-down link in a classic dashboard, they are silently redirected without the warning dialog that normally appears for external navigation. This can lead to credential theft, malware infection, or data exfiltration if the attacker's site mimics a trusted service.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.7 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-20
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from incomplete URL scheme validation in Splunk's classic dashboard drill-down feature. The URL classifier regex or whitelist only recognizes absolute schemes (http:// and https://), allowing protocol-relative URLs (beginning with //) to bypass external-URL detection. When a user clicks a malicious drill-down, the browser interprets the protocol-relative URL according to the current page's scheme, potentially directing traffic to an attacker-controlled domain. The absence of the external-navigation warning dialog—which is supposed to alert users before leaving Splunk—is a direct consequence of the validation failure. Exploitation requires creation of a dashboard containing the malicious link and social engineering to convince a victim to click it.

Business impact

Organizations using Splunk for security monitoring, log analytics, or operational intelligence face heightened risk of user credential compromise and lateral movement. Attackers can craft convincing phishing attacks by embedding malicious links in dashboards that may appear legitimate within the Splunk interface. A victim navigating to an attacker site could expose authentication tokens, API keys, or sensitive query results. For organizations where Splunk dashboards are widely shared or embedded in workflows, the attack surface is substantially larger. The requirement for low-privilege access to create or modify dashboards means internal threats or compromised low-privileged accounts present realistic exploitation scenarios.

Affected systems

Splunk Enterprise versions before 10.2.4, 10.0.7, 9.4.12, and 9.3.13 are vulnerable. Splunk Cloud Platform is affected in versions before 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132. The vulnerability exists only in classic dashboards; modern dashboard implementations may have different handling. Any organization running unpatched versions in either product family should assume exposure if low-privileged users can create or edit dashboards.

Exploitability

Exploitation requires user interaction (a click on a malicious link) and low-privilege dashboard creation capability, making this attack medium-complexity but practical in insider-threat scenarios or when account compromise occurs. An attacker cannot directly execute code or access data within Splunk; instead, the attack redirects users to external sites. The attack is not listed in the CISA KEV catalog, suggesting limited evidence of active exploitation in the wild, though the simplicity of creating a malicious dashboard means exploitation could scale quickly if publicized. Phishing skill and social engineering are the primary attacker requirements.

Remediation

Apply vendor patches immediately: upgrade to Splunk Enterprise 10.2.4, 10.0.7, 9.4.12, or 9.3.13 (or newer), or upgrade Splunk Cloud Platform to 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, or 9.3.2411.132 (or newer) depending on your current version line. Verify patch versions against official Splunk security advisories before deploying. Organizations unable to patch immediately should restrict dashboard creation and editing to trusted administrators, audit existing dashboards for suspicious drill-down URLs, and educate users to verify URLs before clicking—especially those containing '//' prefixes or unusual domain structures.

Patch guidance

Prioritize patching based on version line. If you run Splunk Enterprise 10.2.x, upgrade to 10.2.4 or later. For 10.0.x, target 10.0.7 or later. For 9.4.x, apply 9.4.12 or later. For 9.3.x, apply 9.3.13 or later. Splunk Cloud Platform customers should contact Splunk support for automated upgrade scheduling or confirm your instance version via the UI and cross-reference against the advisory. Test patches in a non-production environment first, particularly if you have custom dashboard integrations or rely on drill-down navigation for operational workflows. Splunk provides official patch notes; verify build numbers match before production deployment.

Detection guidance

Search classic dashboard definitions for drill-down links containing protocol-relative URLs (patterns like //[domain], //?[query], or similar). Export or query Splunk's internal configuration to audit dashboard XML/JSON payloads for suspicious external links. Monitor web logs and proxy records for unexpected outbound traffic to attacker-controlled domains originating from Splunk Web sessions. Examine audit logs for dashboard creation or modification by low-privilege accounts, especially if followed by user clicks on unusual external links. Hunt for drill-down URLs that do not include http:// or https:// schemes but are intended to navigate away from Splunk.

Why prioritize this

Although the CVSS score is medium (5.7) and active exploitation is not yet documented in KEV, the vulnerability is trivial to exploit and affects widely deployed analytics infrastructure. Any organization where dashboards are shared broadly or where users are targeted by social engineering should treat this as high-priority. The requirement for only low privilege and user interaction, combined with the potential for credential theft or malware delivery, justifies rapid patching. Organizations with strong dashboard governance and user security awareness may accept slightly longer timelines, but the ease of patch deployment argues for expedited action.

Risk score, explained

The CVSS 3.1 score of 5.7 (Medium) reflects low attack complexity, requirement for low privilege and user interaction, and high confidentiality impact (credentials or data exfiltration) with no integrity or availability risk to Splunk itself. The score appropriately penalizes the user-interaction requirement and lack of direct system compromise. However, organizational risk depends on dashboard sharing patterns and user susceptibility to phishing; high-trust environments with extensive dashboard sharing should weight this higher than the base CVSS suggests.

Frequently asked questions

Can an attacker with admin or power roles exploit this vulnerability?

No. The vulnerability specifically affects only low-privileged users who lack the 'admin' or 'power' roles. These users are already restricted in their access and can only craft malicious dashboards if the organization has granted them dashboard creation privileges. High-privilege accounts are out of scope.

Does this vulnerability allow direct data exfiltration from Splunk?

No. The vulnerability itself does not grant access to Splunk data. Instead, it redirects users to external sites, where an attacker can capture credentials, session tokens, or other sensitive information the user willingly provides. Data exfiltration occurs if a user is tricked into entering credentials on a phishing page, not through a direct Splunk breach.

Are modern dashboards (not classic dashboards) affected?

The vulnerability is specific to classic dashboards. Splunk's newer dashboard framework may have improved URL validation, but organizations should verify this with Splunk support for their specific version. Until confirmed, assume only classic dashboards require immediate remediation.

What should I do if I cannot patch immediately?

Restrict dashboard creation and editing to trusted administrators, regularly audit existing dashboards for suspicious drill-down URLs, disable drill-down navigation if not critical to operations, and train users to recognize suspicious URLs. Monitor web traffic for unexpected external redirects and review audit logs for dashboard creation by low-privilege accounts. These controls reduce but do not eliminate risk; prioritize patching as soon as possible.

This analysis is based on vendor-provided CVE details and security research. Specific patch version numbers, affected build lists, and remediation timelines should be verified directly against official Splunk security advisories and your organization's deployment configuration. This vulnerability requires user interaction and low-privilege account compromise or creation; organizations with strict access controls may face lower practical risk. No guarantee is provided regarding completeness or applicability to non-standard Splunk deployments. For definitive guidance, consult Splunk support and your internal security team. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).