CVE-2026-20137

low Splunk
CVSS v3 Base Score
3.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
EPSS Score
0.0%
Exploitation probability in 30 days
Top 91% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Confidentiality
Low
Integrity
None
Availability
None
Published: February 18, 2026 (84 days ago)
Last Modified: February 20, 2026
Vendor: Splunk

Description

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability.

CWE

CWE-200

Affected Products

splunk splunksplunk splunk cloud platform

References

🔗 advisory.splunk.com