CVE-2025-20226

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 9.4.1 Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Cloud Platform versions prior to 9.3.2408.107 Splunk Cloud Platform versions prior to 9.2.2406.111 Splunk Cloud Platform versions prior to 9.1.2308.214

Description A low-privileged user could bypass the SPL safeguards for risky commands on the "/services/streams/search" endpoint through its q parameter, using the permissions of a higher-privileged user. This requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the issue at will.

Recommendations For Splunk Enterprise versions prior to 9.4.1, update to version 9.4.1 or later. For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Cloud Platform versions prior to 9.3.2408.107, update to version 9.3.2408.107 or later. For Splunk Cloud Platform versions prior to 9.2.2406.111, update to version 9.2.2406.111 or later. For Splunk Cloud Platform versions prior to 9.1.2308.214, update to version 9.1.2308.214 or later. As a temporary workaround, consider restricting access to the "/services/streams/search" endpoint to minimize the risk of exploitation. Avoid using the q parameter in the affected endpoint until the issue is resolved.