TL;DR
Splunk released patches on July 15, 2026 for three Splunk Enterprise vulnerabilities. The most serious, CVE-2026-20296, is a cross-site request forgery (CSRF) flaw that enables SPL execution as splunk-system-user. Fixed builds are available for Splunk Enterprise and Splunk Cloud Platform.
Why It Matters
Splunk sits at the heart of many security operations centers and stores credentials and indexed log data. Consequently, flaws that expose stored secrets deserve fast attention. Splunk has not confirmed in-the-wild exploitation or a public proof-of-concept for any of the three issues.
How the Attacks Work
CVE-2026-20296: CSRF in the Deployment Server
Deployment Server endpoints in Splunk Web skip CSRF token checks on GET requests, and caller input flows into SPL searches without neutralization. According to advisory SVD-2026-0702, an attacker can trick a user holding the list_deployment_server capability into running arbitrary SPL as splunk-system-user. That grants access to stored credentials and indexed data. Splunk rates it 8.3 (High).
CVE-2026-20297: Path Traversal During App Installation
A user with the edit_local_apps and install_apps capabilities can make a legitimate app installation write files outside the intended app directory, into $SPLUNK_HOME/etc/. Details appear in advisory SVD-2026-0703. It scores 7.2 (High).
CVE-2026-20298: Credential Hash Exposure
A low-privileged user without the admin or power role can view stored credential hashes. The |rest SPL command returns the encr_password field from the storage/passwords endpoint, per advisory SVD-2026-0704. Splunk rates it 5.3 (Medium).
- Total: 3 CVEs
- Severity: 2 High · 1 Medium
- Actively exploited: None confirmed
- Highest severity: 8.3 (High · CVSSv3) — CVE-2026-20296
- Action: Apply the latest security updates now
Notable CVEs
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-20296 | 8.3 | CWE-352 | 10.4.1, 10.2.5, 10.0.8 (+6) | Not exploited |
| CVE-2026-20297 | 7.2 | CWE-22 | 10.4.1, 10.2.5, 10.0.8 (+6) | Not exploited |
| CVE-2026-20298 | 5.3 | CWE-200 | 10.4.1, 10.2.5, 10.0.8 (+6) | Not exploited |
Affected Versions
The Splunk Enterprise vulnerabilities affect versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13. In addition, CVE-2026-20297 affects 9.3 versions below 9.3.14. Several Splunk Cloud Platform releases below the 10.5.2605.0, 10.4.2604.x, 10.3.2512.x, 10.2.2510.18, and 10.1.2507.24 lines are also affected.
Patch and Mitigation
Upgrade Splunk Enterprise to 10.4.1, 10.2.5, 10.0.8, 9.4.13, or 9.3.14 and higher. Meanwhile, Splunk is updating Splunk Cloud Platform instances on its side. Admins should also review who holds the deployment and app installation capabilities named above.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.