CVE-2025-20226

Description

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214, a low-privileged user that does not hold the "admin" or "power" Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands on the "/services/streams/search" endpoint through its "q" parameter. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

Reserved 2024-10-10 | Published 2025-03-26 | Updated 2025-03-27 | Assigner cisco

Problem types

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Product status

9.4 before 9.4.1
affected

9.3 before 9.3.3
affected

9.2 before 9.2.5
affected

9.1 before 9.1.8
affected

9.3.2408 before 9.3.2408.107
affected

9.2.2406 before 9.2.2406.111
affected

9.1.2308 before 9.1.2308.214
affected

Credits

Anton (therceman)

References

advisory.splunk.com/advisories/SVD-2025-0305

cve.org (CVE-2025-20226)

nvd.nist.gov (CVE-2025-20226)

Download JSON