Splunk fixes flaws exposing internal data and enabling denial of service
Splunk released patches for three vulnerabilities affecting Splunk Enterprise, Splunk Cloud Platform, and the Splunk AI Toolkit, including a high-severity denial-of-service bug and two issues that can expose sensitive data. CVE-2026-20240 affects the splunk_archiver app, where a low-privileged user can abuse the coldToFrozen.sh script to rename critical directories and render an instance inoperable. CVE-2026-20239 stems from improper output sanitization in the TcpChannel component and can leak session cookies and cleartext HTTP response bodies into the _internal log index, while CVE-2026-20238 is an access-control weakness in the Splunk AI Toolkit that can bypass intended search restrictions and expose restricted data.
Splunk said the issues were fixed in updated releases, including AI Toolkit 5.7.3 for CVE-2026-20238, and urged customers to upgrade affected deployments. The company also published interim mitigations for organizations that cannot patch immediately, including restricting access to the _internal index to administrators, disabling the Splunk Archiver application, reviewing inherited roles and permissions, and removing the problematic srchFilter entry from local configuration where applicable. The advisories highlight risks to both platform availability and the confidentiality of operational data stored in Splunk environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-25606 is recorded in vulnerability databases
CVE-2026-25606, a SQL injection flaw in STER, was recorded as a newly received vulnerability by cvd@cert.pl. The entry noted that the issue allows authenticated attackers to access sensitive data and that the vendor fixed it in STER version 9.5.
Splunk discloses and patches three vulnerabilities across its products
Splunk disclosed and patched CVE-2026-20238, CVE-2026-20239, and CVE-2026-20240 affecting Splunk AI Toolkit, Splunk Enterprise, and Splunk Cloud Platform. The flaws could expose restricted data, leak sensitive information into internal logs, or allow a low-privileged user to trigger denial-of-service conditions, and Splunk issued upgrade and mitigation guidance.
CERT Polska discloses three STER vulnerabilities fixed in version 9.5
CERT Polska published details of three vulnerabilities affecting STER versions before 9.5: SQL injection (CVE-2026-25606), weak password encoding (CVE-2026-25607), and cleartext transmission over unencrypted TCP (CVE-2026-25608). The disclosure credited Michelin CERT for the report and stated the issues were fixed in STER version 9.5.
Splunk publishes advisory SVD-2026-0302
Splunk published vulnerability advisory SVD-2026-0302. Based on the available metadata, this represents a separate Splunk disclosure event distinct from the earlier SVD-2026-0201 advisory and the later May 2026 multi-CVE disclosure.
Splunk publishes advisory SVD-2026-0201
Splunk published vulnerability advisory SVD-2026-0201. Based on the reference metadata, this advisory represents an earlier Splunk disclosure event preceding the later May 2026 vulnerability reporting already in the timeline.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Splunk Patches Multiple Vulnerabilities that Enable DOS Attack and Exposes Sensitive Data
cybersecuritynews.com
Open sourceSplunk Patches High-Severity Bugs Granting DoS and Internal Log Leaks
securityonline.info
Open sourceCVE-2026-25606 - SQL Injection in STER
cvefeed.io
Open sourceSVD-2026-0503 | Splunk Vulnerability Disclosure
advisory.splunk.com
Open sourceSVD-2026-0504 | Splunk Vulnerability Disclosure
advisory.splunk.com
Open sourceVulnerabilities in STER software | CERT Polska
cert.pl
Open sourceSVD-2026-0302 | Splunk Vulnerability Disclosure
advisory.splunk.com
Open sourceSVD-2026-0201 | Splunk Vulnerability Disclosure
advisory.splunk.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical OS Command Injection Patched in Splunk AI Toolkit
Splunk disclosed a critical vulnerability in **Splunk AI Toolkit** that allows OS command injection through the `btool` Configuration Helper, affecting versions earlier than **5.7.4**. Tracked as **`CVE-2026-20266`** and rated **CVSS 9.1**, the flaw stems from unsafe shell execution that can let a user with the Splunk **admin** role run arbitrary commands on the host running Splunk Enterprise, creating a direct path to host compromise. Splunk also fixed **`CVE-2026-20265`**, a lower-severity insecure default domain allowlist issue rated **CVSS 4.3** that could allow a low-privileged user to trigger outbound HTTP requests and potentially exfiltrate data to an attacker-controlled server. The Canadian Centre for Cyber Security highlighted the vendor advisory in **AV26-614** and urged administrators to review Splunk’s guidance and upgrade to **version 5.7.4 or later**; public reporting said there was **no confirmed exploitation in the wild** at disclosure time.
Jun 29, 2026
Splunk Enterprise and Cloud Platform Vulnerabilities Allow Remote Code Execution and SSRF
Splunk has disclosed six critical security vulnerabilities affecting both Splunk Enterprise and Splunk Cloud Platform, exposing organizations to significant risks. The vulnerabilities include multiple cross-site scripting (XSS) flaws, an unauthenticated server-side request forgery (SSRF) vulnerability, and other weaknesses in Splunk’s web components. Two of the most notable XSS vulnerabilities are CVE-2025-20367, a reflected XSS in the /app/search/table endpoint, and CVE-2025-20368, a stored XSS in the Saved Search and Job Inspector features. Both XSS flaws can be exploited by low-privileged users to execute malicious JavaScript in the browsers of other users, potentially compromising user sessions and exposing sensitive data. The SSRF vulnerability, CVE-2025-20371, is particularly severe as it allows unauthenticated attackers to coerce Splunk into making REST API calls on behalf of authenticated high-privilege users, which could lead to further compromise of internal systems. These vulnerabilities affect multiple versions of Splunk Enterprise, specifically those below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as various versions of Splunk Cloud Platform. Successful exploitation of these flaws could allow attackers to gain unauthorized access, escalate privileges, and perform actions on behalf of legitimate users. Splunk has released patches addressing all six vulnerabilities and urges administrators to update their deployments immediately to mitigate the risks. The vulnerabilities highlight the importance of regular security assessments and prompt patch management in enterprise environments. Organizations using affected Splunk versions are advised to review their access logs for signs of exploitation and to apply the security updates without delay. The disclosure underscores the potential impact of web-based vulnerabilities in widely used security and analytics platforms. Security teams should also consider reviewing user permissions and monitoring for unusual activity in Splunk environments. The coordinated disclosure and rapid patching demonstrate the ongoing efforts by vendors and the security community to address critical flaws. These vulnerabilities, if left unpatched, could be leveraged in targeted attacks against organizations relying on Splunk for security monitoring and data analytics. The incident serves as a reminder of the evolving threat landscape and the need for vigilance in securing enterprise software. Splunk’s response includes detailed advisories and guidance for affected customers. The company has not reported any active exploitation in the wild at the time of disclosure, but the technical details provided could accelerate attempts by threat actors to develop exploits. Organizations are encouraged to stay informed about security advisories and to implement layered defenses to reduce the risk of compromise.
Jun 29, 2026
Critical Splunk Enterprise Flaw Exposes Pre-Auth File Write and RCE Path
Splunk issued urgent fixes for **CVE-2026-20253**, a critical `CVSS 9.8` vulnerability in **Splunk Enterprise** that allows unauthenticated arbitrary file creation and truncation through a PostgreSQL sidecar service endpoint missing authentication controls. The flaw affects supported Splunk Enterprise releases prior to **10.4.0**, **10.2.4**, **10.0.7**, **9.4.12**, and **9.3.13** depending on branch, and Splunk said **Splunk Cloud is not affected** because it does not use Postgres sidecars. Splunk and national cyber authorities urged administrators to apply updates immediately, noting that no vendor detections or workarounds were initially available for the core issue. Public technical analysis from watchTowr Labs showed the bug can be reached through Splunk Web on port `8000`, which proxies requests to localhost-only PostgreSQL recovery endpoints, enabling attackers to abuse `/v1/postgres/recovery/backup` and `/restore` for filesystem access. Researchers demonstrated a full pre-auth exploitation chain that used path traversal, PostgreSQL connection-string injection, local `.pgpass` credentials, and PostgreSQL large-object export to gain arbitrary file write as the `splunk` user, then overwrite a Splunk Python script to achieve remote code execution. Splunk also disclosed additional Enterprise flaws including **CVE-2026-20251** (`CVSS 8.8`) in the Splunk Secure Gateway app due to unsafe `jsonpickle` deserialization, plus stored XSS and SSRF issues, prompting guidance to patch quickly, restrict dashboard creation and web exposure, and disable or remove vulnerable components where immediate upgrades are not possible.
Jun 29, 2026