HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-20252Published Modified CNA cisco

CVE-2026-20252: Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterprise

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.4.2604.3, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, a low-privileged user that does not hold the "admin" or "power" Splunk roles could send server-side requests to arbitrary internal destinations through the Dashboard Studio PDF export feature. The vulnerability exists because the trusted-domain validation uses a prefix match that can be bypassed with attacker-controlled subdomains (for example, docs.splunk.com.evil.com), and because the PDF export service follows HTTP redirects automatically without re-validating each redirect target against the allowlist.

Metrics

CVSS v3.1
7.6
Severity
HIGH
Fixed in
9.3.13
Affected Products
2

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Server-Side Request Forgery (SSRF) affects Splunk Enterprise and Splunk Cloud Platform through the Dashboard Studio PDF export feature. The vulnerability is reachable over the network by any authenticated low-privilege user, with no victim interaction required. Successful exploitation lets the attacker send HTTP requests from the Splunk server to arbitrary internal destinations, potentially exposing internal services, leaking sensitive data, or tampering with internal endpoints. Patched-image rebuilds at versions 9.3.13, 9.3.2411.132, 9.4.12, 10.0.7, and 10.1.2507.22 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-20252 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images derived from affected Splunk base layers. Coverage extends to both direct Splunk Enterprise images and derivative images built on affected versions in customer registries and CI pipelines.

Available
Triage

HarborGuard scores this CVE at CVSS 7.6 HIGH and is capable of weighting that score against each environment's compliance policy to surface it at the appropriate priority. Per-organization routing ensures findings reach the right team inbox automatically, without manual triage overhead.

Available
Patch

A patched-image rebuild at the fix versions (9.3.13, 9.3.2411.132, 9.4.12, 10.0.7, 10.1.2507.22) becomes available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads where compliance policy permits.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Splunk Dashboard Studio PDF export endpoint over the network; the service must be accessible from the attacker's network position.

  • AuthenticationRequired

    Any low-privilege Splunk account is sufficient; the attacker does not need an admin or power role, but must hold valid credentials.

  • Victim interactionNot required

    No victim action is needed; the attacker submits a crafted export request directly without involving another user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; bypassing the prefix-based allowlist with an attacker-controlled subdomain (e.g., docs.splunk.com.evil.com) requires no special timing or environmental factors.

Blast Radius

  • Reads responses from internal HTTP services reachable by the Splunk server, including metadata APIs, internal dashboards, or credential stores exposed on the internal network.
  • Triggers unintended HTTP requests against internal endpoints, which can modify state or consume resources on services that trust requests from the Splunk host.
  • Leaks internal network topology by probing hosts and ports that are otherwise unreachable from outside the perimeter.
  • Causes limited disruption to the Splunk server's availability through repeated redirect-following requests that consume PDF export service resources.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-20252 is active across all connected registries and pipelines, matching images against the affected version ranges for both Splunk Enterprise and Splunk Cloud Platform. For environments running an affected version, a patched-image rebuild at the fix versions becomes available automatically. For customers who opt into auto-remediation, HarborGuard rebuilds the image, executes a regression run, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy restricts automated changes, HarborGuard surfaces the finding with full CVSS context and version-range detail so engineers can act manually. Until an upgrade is applied, teams should consider restricting access to the Dashboard Studio PDF export feature via network policy, limiting which internal CIDR ranges the Splunk server can reach on egress, and auditing low-privilege account activity against the export endpoint.

See how HarborGuard automates this

Fix available

9.3.139.3.2411.1329.4.1210.0.710.1.2507.2210.2.410.2.2510.1410.3.2512.1210.4.2604.3
Affected packages
  • Splunk / Splunk Enterprise
    < 10.2.4 (from 10.2) · < 10.0.7 (from 10.0) · < 9.4.12 (from 9.4) · < 9.3.13 (from 9.3)
  • Splunk / Splunk Cloud Platform
    < 10.4.2604.3 (from 10.4.2604) · < 10.3.2512.12 (from 10.3.2512) · < 10.2.2510.14 (from 10.2.2510) · < 10.1.2507.22 (from 10.1.2507) · < 9.3.2411.132 (from 9.3.2411)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
References