ZeroPath at Black Hat USA 2026

Splunk Enterprise CVE-2026-20252: Overview of SSRF via Dashboard Studio PDF Export with Dual Bypass Mechanisms

A brief summary of CVE-2026-20252, a high severity SSRF vulnerability in Splunk Enterprise and Splunk Cloud Platform that allows low privileged users to reach arbitrary internal destinations through the Dashboard Studio PDF export feature using prefix match and redirect bypass techniques.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-10

Splunk Enterprise CVE-2026-20252: Overview of SSRF via Dashboard Studio PDF Export with Dual Bypass Mechanisms
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A low privileged Splunk user can turn the platform's own Dashboard Studio PDF export feature into an internal network scanner, reaching arbitrary services behind the firewall without needing admin or power role credentials. For organizations running Splunk as their primary SIEM, this means the security monitoring infrastructure itself becomes a potential pivot point for server side request forgery.

CVE-2026-20252 carries a CVSS 7.6 (High) rating and affects a broad range of Splunk Enterprise and Splunk Cloud Platform versions. What makes this vulnerability particularly interesting is its dual bypass mechanism: two independent flaws in domain validation logic that can each be exploited separately to circumvent the allowlist protecting the PDF export service. Splunk has published no workarounds, making version upgrade the sole official remediation.

Technical Information

Root Cause: Flawed Domain Validation in PDF Export

CVE-2026-20252 is classified under CWE-918 (Server-Side Request Forgery), a weakness category that OWASP elevated to its own Top 10 entry (A10) in 2021, noting 9,503 occurrences and 385 mapped CVEs at the time. The vulnerability sits in the Dashboard Studio PDF export feature within Splunk Web. When a user triggers a PDF export of a dashboard, the Splunk server initiates outbound HTTP requests to render the dashboard content. The server validates the target URL against an allowlist of trusted domains before making the request. However, the validation logic contains two distinct flaws that an attacker can exploit independently or in combination.

Bypass Mechanism 1: Prefix Match Allowlist Bypass

The trusted domain validation uses a prefix match rather than an exact domain match or proper suffix match. This means the server checks whether the requested URL's domain starts with a trusted domain string, rather than verifying that the domain is the trusted domain or a legitimate subdomain of it.

An attacker can register a domain where the trusted domain appears as a prefix. For example, if docs.splunk.com is on the allowlist, the attacker registers docs.splunk.com.evil.com. The prefix check sees that the string begins with docs.splunk.com and passes validation. The actual DNS resolution, however, resolves to the attacker's infrastructure at evil.com.

This is a well known class of URL validation error. Proper domain validation requires checking that the domain either exactly matches the allowlist entry or that the character immediately preceding the match is a dot (indicating a legitimate subdomain relationship), and that the match extends to the end of the domain string.

Bypass Mechanism 2: Redirect Following Without Re-Validation

The PDF export service follows HTTP 3xx redirect responses automatically. Critically, it does not re-validate each redirect target against the allowlist. This means an attacker who can place content at an initially allowed URL (or who combines this with the prefix match bypass) can issue a redirect to any arbitrary destination, including internal network addresses.

The server will follow the redirect and make a request to the new target without checking whether it is permitted. This effectively renders the allowlist meaningless for any URL that returns a redirect response.

Attack Flow

A practical exploitation sequence proceeds as follows:

  1. An attacker authenticates to Splunk with a low privilege account (any role below "admin" or "power" is sufficient).

  2. The attacker navigates to Dashboard Studio and initiates a PDF export, injecting a crafted URL into the export request. The URL is constructed to bypass the prefix match check, for example: docs.splunk.com.evil.com.

  3. The Splunk server's domain validation logic performs a prefix match against the allowlist. The attacker's domain passes because it begins with the trusted string docs.splunk.com.

  4. The Splunk server sends an HTTP request to the attacker controlled domain. The attacker's server responds with an HTTP 302 redirect pointing to an internal target, such as http://169.254.169.254/latest/meta-data/ (a cloud provider metadata endpoint) or http://internal-api:8080/admin/config.

  5. The PDF export service follows the redirect without re-validating the new destination against the allowlist. It retrieves the response from the internal service.

  6. The response content, or information derived from it, becomes observable through the PDF export result or associated error messages, allowing the attacker to exfiltrate data from internal services that would otherwise be unreachable from their network position.

CVSS Vector Breakdown

The CVSSv3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L tells us several important things about the exploitability and impact:

ComponentValueMeaning
Attack VectorNetworkExploitable remotely over the network
Attack ComplexityLowNo special conditions or race conditions required
Privileges RequiredLowAny authenticated non-admin, non-power user
User InteractionNoneNo victim action needed
ScopeUnchangedImpact stays within the vulnerable component
ConfidentialityHighAttacker can read responses from internal services
IntegrityLowLimited modification capability
AvailabilityLowLimited disruption potential

The High confidentiality rating is the most significant impact dimension. In enterprise Splunk deployments, the server typically has network access to numerous internal services for log collection and data ingestion. An SSRF from this position can reach services that are otherwise protected by network segmentation, including cloud metadata endpoints, internal APIs, and management interfaces.

The Paradox of SSRF in SIEM Infrastructure

The strategic significance of this vulnerability extends beyond a typical SSRF finding. Splunk servers, by design, occupy a privileged network position with broad connectivity to collect logs from across the enterprise. An SSRF vulnerability in the SIEM platform means the security monitoring tool itself becomes the attack vector. The server that is supposed to detect threats is being used to probe the internal network, creating a blind spot where the attacker's reconnaissance activity originates from a trusted source.

Affected Systems and Versions

The following table details all affected and fixed versions based on the Splunk advisory and NVD data:

ProductAffected Version RangeFixed Version
Splunk Enterprise10.2.0 through 10.2.310.2.4
Splunk Enterprise10.0.0 through 10.0.610.0.7
Splunk Enterprise9.4.0 through 9.4.119.4.12
Splunk Enterprise9.3.0 through 9.3.129.3.13
Splunk Enterprise10.4.0Not affected
Splunk Cloud PlatformBelow 10.4.2604.310.4.2604.3
Splunk Cloud PlatformBelow 10.3.2512.1210.3.2512.12
Splunk Cloud PlatformBelow 10.2.2510.1410.2.2510.14
Splunk Cloud PlatformBelow 10.1.2507.2210.1.2507.22
Splunk Cloud PlatformBelow 9.3.2411.1329.3.2411.132

Splunk states it is "actively monitoring and patching Splunk Cloud Platform instances," so SaaS customers may already be protected. On premises customers bear full responsibility for upgrading.

The advisory explicitly notes that no workarounds or mitigations are available from Splunk. Organizations that cannot immediately upgrade should consider the following compensating controls:

Egress filtering: Restrict outbound HTTP/HTTPS traffic from the Splunk server to only explicitly required destinations. Block connections to cloud metadata endpoints (169.254.169.254), internal API services, and other sensitive internal addresses.

Proxy level redirect blocking: If the Splunk server routes PDF export requests through an outbound proxy, configure the proxy to strip or block HTTP 3xx redirect responses. This neutralizes the redirect based bypass but does not address the prefix match flaw.

Network segmentation: Ensure the Splunk server sits on a network segment with minimal access to sensitive internal services, limiting the blast radius of any SSRF exploitation.

RBAC restriction of PDF export: Consider restricting the Dashboard Studio PDF export feature to users holding the "admin" or "power" roles only, since the vulnerability specifically requires a non-admin, non-power user. This approach is not documented in the official advisory and should be tested before deployment.

Monitoring: Watch for anomalous outbound HTTP connections originating from the Splunk server process, particularly those targeting internal IP ranges, metadata endpoints, or domains with suspicious subdomain patterns such as *.splunk.com.evil.com.

Vendor Security History

CVE-2026-20252 fits into a recurring pattern of SSRF vulnerabilities in Splunk products. This is at least the third such disclosure:

  1. CVE-2023-22936: An SSRF vulnerability affecting authenticated users in Splunk Enterprise.

  2. CVE-2025-20371: A blind SSRF through Distributed Search Peers in Splunk Enterprise, allowing the server to send requests to unintended destinations.

  3. CVE-2026-20252: The current SSRF through Dashboard Studio PDF export, featuring two distinct bypass mechanisms.

Each of these vulnerabilities targets a different Splunk feature (general authenticated endpoints, Distributed Search Peers, Dashboard Studio PDF export), which suggests the root cause is not a single code path but rather an architectural pattern of insufficient URL and redirect validation across the codebase.

Beyond SSRF, the Splunk advisory archive reveals a steady cadence of security disclosures across multiple vulnerability classes. Recent 2026 advisories include denial of service through coldToFrozen.sh (CVE-2026-20240), sensitive information disclosure through log files (CVE-2026-20239), improper access control through role inheritance (CVE-2026-20238), and information disclosure in the _internal index (CVE-2026-20205). Splunk also publishes a substantial volume of third party package update advisories, indicating active monitoring of supply chain dependencies.

Since Cisco's acquisition of Splunk closed in 2024, vulnerability disclosures now flow through Cisco's Product Security Incident Response Team (PSIRT), as confirmed by the [email protected] source identifier on this CVE.

Threat Intelligence Context

As of the disclosure date (June 10, 2026), there is no publicly available evidence that CVE-2026-20252 is being actively exploited in the wild. The vulnerability was responsibly disclosed by researcher M Mahdan Argya Syarif (0xbeludan) through coordinated disclosure, rather than being discovered as a zero day under active attack. No CISA KEV catalog entries, threat intelligence reports, or security vendor alerts were found indicating in the wild exploitation.

However, several factors suggest the window between disclosure and potential weaponization could be narrow:

The attack complexity is rated Low, and the prefix match bypass is straightforward to construct (register a domain like trusted-domain.attacker.com). Redirect based SSRF exploitation is a well documented technique with extensive public tooling and documentation.

Splunk deployments are high value targets. They typically contain sensitive security logs, compliance data, and operational telemetry. A successful SSRF from a Splunk server provides access to internal services from a network position that is often broadly trusted.

The existence of two prior Splunk SSRF vulnerabilities means that researchers and threat actors have already studied Splunk's URL handling patterns, potentially lowering the barrier to developing exploits for this new variant.

No specific threat actors or APT groups have been linked to this CVE. No proof of concept exploit code has been publicly identified at this time.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization