CVE-2026-20259: Splunk Saved Search Ownership Privilege Escalation Vulnerability
A vulnerability in Splunk Enterprise and Splunk Cloud Platform allows authenticated users with the `edit_saved_search_owner` capability to reassign ownership of saved searches to any user, including those outside their normal scope of access. The affected endpoint lacks proper authorization checks, creating an avenue for privilege escalation or lateral movement within Splunk deployments. The vulnerability requires an authenticated attacker with a specific high-privilege role, limiting but not eliminating risk in environments where role delegation is common.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131, a user who holds a Splunk role that contains the high-privilege capability `edit_saved_search_owner` could reassign saved search ownership to users outside their authorized scope. The ownership reassignment endpoint lacks access control.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-20259 is an improper access control vulnerability (CWE-284) in the saved search ownership reassignment endpoint. Users holding roles that include the `edit_saved_search_owner` capability can bypass scope restrictions and reassign search ownership without additional authorization validation. The vulnerability affects Splunk Enterprise (versions below 10.2.4 and 10.0.7) and Splunk Cloud Platform (versions below 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, and 9.3.2411.131). The CVSS 3.1 score of 5.5 (MEDIUM) reflects a network-accessible attack vector, high-privilege requirement, and confidentiality impact from exposure of search content and results.
Business impact
Unauthorized saved search ownership reassignment can lead to data exfiltration, tampering with alerting logic, or disruption of critical monitoring pipelines. In organizations using Splunk for compliance monitoring, security intelligence, or operational analytics, an attacker reassigning ownership could mask unauthorized access, modify alert thresholds, or prevent detection of suspicious activity. The impact scales with how extensively Splunk is integrated into security operations and business-critical workflows.
Affected systems
Splunk Enterprise versions below 10.2.4 and 10.0.7, and all listed Splunk Cloud Platform versions below 10.4.2604.0 are affected. Organizations running Splunk 9.x, 10.0.x, 10.1.x, 10.2.x, or 10.3.x should check their specific patch version against the advisory. Splunk Cloud Platform customers should verify their instance version, as cloud tenants may be on different patch levels.
Exploitability
Exploitation requires authentication and membership in a role containing the `edit_saved_search_owner` capability—a high-privilege role typically granted to power users, administrators, or service accounts. No user interaction, network bypass, or exploit complexity is needed beyond standard API calls once authenticated. The attack surface is limited to organizations that have delegated this capability to multiple users or have weak role governance. The vulnerability is not believed to be actively exploited in the wild (KEV status: not added).
Remediation
Apply the patched versions: Splunk Enterprise 10.2.4 or 10.0.7 or later (verify your currently supported stream), or Splunk Cloud Platform versions 10.4.2604.0, 10.3.2512.12, 10.2.2510.15, 10.1.2507.23, 10.0.2503.14, or 9.3.2411.131 or later, depending on your deployment. Prior to patching, audit and restrict the `edit_saved_search_owner` capability to only trusted administrators, and review access logs for any suspicious saved search ownership changes.
Patch guidance
Splunk regularly releases maintenance updates through its official download portal and cloud managed services. Enterprise customers should reference the Splunk security advisory for their specific version stream (8.x, 9.x, 10.x) to identify the correct patch. Cloud Platform customers are automatically updated by Splunk; verify your tenant version matches or exceeds the listed patched versions. Test patches in a non-production environment before production deployment to ensure compatibility with custom apps and workflows.
Detection guidance
Monitor Splunk audit logs for changes to saved search ownership, particularly assignments to unexpected users. Search for API calls to the saved search ownership endpoint (`/services/saved/searches/{id}`) with ownership changes. Alert on any reassignments by users whose roles contain `edit_saved_search_owner` but are not typically expected to perform such operations. Review role membership periodically to identify over-privileged accounts and reduce the blast radius of role compromise.
Why prioritize this
MEDIUM severity with authentication requirement places this in the secondary tier for patching priority, but context matters: if your organization grants `edit_saved_search_owner` to numerous users, or if Splunk is a core security analytics platform, prioritize patching earlier. Organizations with strong access controls and centralized role administration can defer to next maintenance window. However, any environment where Splunk feeds compliance reporting or security alerting should patch within 30 days.
Risk score, explained
The CVSS 3.1 score of 5.5 reflects a network-accessible, low-complexity attack requiring high privilege and delivering high confidentiality impact (search content exposure) with limited integrity impact (ownership reassignment). The score does not weigh business context—for security-critical deployments, effective risk is higher. The absence of KEV status indicates no confirmed active exploitation, reducing urgency slightly but not the importance of eventual remediation.
Frequently asked questions
Does this vulnerability allow unauthenticated access?
No. The vulnerability requires a valid Splunk user account with a role containing the `edit_saved_search_owner` capability. It does not bypass authentication.
What happens if a saved search is reassigned to an unauthorized user?
The new owner gains full access to the saved search, including the ability to view query logic, results, and embedded credentials or data references. They could also modify, run, or alert on the search, potentially disrupting monitoring or exfiltrating data.
How should we limit exposure while waiting to patch?
Audit and remove the `edit_saved_search_owner` capability from all roles except a small group of trusted administrators. Review recent saved search ownership changes in audit logs for suspicious activity. Enable role-based access controls and monitor API calls to the saved search endpoint.
Is this vulnerability actively being exploited?
No, the vulnerability is not currently tracked in the CISA KEV catalog and has not been reported as actively exploited in the wild as of the advisory publication date.
This analysis is based on the official vulnerability description and CVSS assessment published by Splunk and the National Vulnerability Database. Specific patch versions and timelines should be verified against the Splunk Security Advisory and your vendor communications. This explainer does not constitute legal, compliance, or procurement advice. Organizations should assess business risk in their specific context and test patches in controlled environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler