CVE-2026-20162 Overview
A Stored Cross-Site Scripting (XSS) vulnerability exists in Splunk Enterprise and Splunk Cloud Platform that can be exploited through a path traversal attack when creating Views in the User Interface settings. A low-privileged user who does not hold the "admin" or "power" Splunk roles can craft a malicious payload at the /manager/launcher/data/ui/views/_new endpoint, leading to unauthorized JavaScript code execution in the browser of victim users.
Critical Impact
This vulnerability allows attackers to execute arbitrary JavaScript in authenticated users' browsers, potentially enabling session hijacking, credential theft, and unauthorized actions within the Splunk environment.
Affected Products
- Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.9
- Splunk Cloud Platform versions below 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, and 9.3.2411.123
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-20162 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-20162
Vulnerability Analysis
This vulnerability combines two distinct attack techniques: Stored Cross-Site Scripting (XSS) and Path Traversal. The weakness resides in the Views management functionality within Splunk's User Interface settings. When users create a new View through the /manager/launcher/data/ui/views/_new endpoint, the application fails to properly sanitize user-supplied input, allowing malicious payloads to be stored and later executed.
The vulnerability is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation), which encompasses various forms of XSS attacks. The stored nature of this XSS means that the malicious payload persists within the application, executing whenever a victim user accesses the affected View.
Successful exploitation requires user interaction, as the attacker must phish the victim into initiating a request within their browser. This social engineering component means that the authenticated user cannot exploit the vulnerability at will—they must trick another user into triggering the malicious payload.
Root Cause
The root cause is improper input validation and output encoding in the Views creation functionality. The application fails to adequately sanitize path components and user-controlled input when processing View creation requests, allowing attackers to inject malicious JavaScript through path traversal techniques. The combination of insufficient input validation on the path parameter and lack of proper output encoding when rendering Views creates the exploitable condition.
Attack Vector
The attack is network-based and requires a low-privileged authenticated user to initiate. The attacker crafts a malicious payload containing JavaScript code and submits it through the Views creation interface at /manager/launcher/data/ui/views/_new. The path traversal component allows the attacker to potentially escape intended directory constraints while injecting the XSS payload.
Once the malicious View is created and stored, the attacker must then social engineer a victim user (potentially one with higher privileges) into accessing the compromised View. When the victim's browser renders the View, the stored JavaScript payload executes in their browser context, potentially allowing the attacker to steal session tokens, perform actions as the victim, or exfiltrate sensitive data visible to that user.
The vulnerability mechanism exploits the trust relationship between the Splunk application and authenticated users, leveraging insufficient input sanitization during View creation combined with a path traversal weakness to achieve stored XSS execution.
Detection Methods for CVE-2026-20162
Indicators of Compromise
- Unusual or suspicious View creation requests to /manager/launcher/data/ui/views/_new containing path traversal sequences such as ../ or encoded variants
- JavaScript content or HTML tags embedded within View names or configuration parameters
- Unexpected modifications to existing Views or creation of Views with obfuscated names
- Browser-based anomalies in user sessions following View access, such as unexpected network requests to external domains
Detection Strategies
- Monitor HTTP request logs for POST requests to the Views management endpoint containing suspicious characters or encoded path traversal sequences
- Implement Content Security Policy (CSP) headers to detect and block unauthorized inline script execution
- Review audit logs for View creation events from low-privileged users, particularly those targeting unusual paths
- Deploy web application firewall (WAF) rules to detect XSS patterns and path traversal attempts in request payloads
Monitoring Recommendations
- Enable detailed audit logging for all administrative UI actions within Splunk, particularly View management operations
- Configure alerts for creation or modification of Views by users without admin or power roles
- Monitor for JavaScript execution anomalies using browser security tools or endpoint detection
- Review Splunk internal logs for unauthorized access patterns to the /manager/launcher/data/ui/views/ path
How to Mitigate CVE-2026-20162
Immediate Actions Required
- Upgrade Splunk Enterprise to version 10.2.0, 10.0.3, 9.4.9, or 9.3.9 or later depending on your version branch
- Upgrade Splunk Cloud Platform to version 10.2.2510.4, 10.1.2507.15, 10.0.2503.11, or 9.3.2411.123 or later
- Review existing Views for suspicious content or unexpected JavaScript payloads
- Restrict View creation permissions to trusted administrators only until patching is complete
Patch Information
Splunk has released security updates to address this vulnerability. Detailed patch information is available in the Splunk Security Advisory SVD-2026-0301. Organizations should prioritize applying these updates to all affected Splunk Enterprise and Splunk Cloud Platform deployments.
Workarounds
- Restrict access to the Views management interface by limiting the users who can create or modify Views through role-based access controls
- Implement strict Content Security Policy headers to mitigate the impact of any XSS execution
- Deploy web application firewall rules to block requests containing path traversal sequences and common XSS patterns
- Educate users about phishing risks and the importance of not clicking suspicious links, especially those directing to Splunk administrative interfaces
# Review Splunk user roles and restrict View creation permissions
# Navigate to Settings > Access controls > Roles
# For non-admin roles, remove or restrict the following capabilities:
# - edit_views
# - admin_all_objects
# Example: Verify current role capabilities via REST API
curl -k -u admin:password https://localhost:8089/services/authorization/roles/user | grep -i "edit_views\|admin_all_objects"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
