CVE-2025-20226: 
Splunk Enterprise vulnerability analysis and mitigation

CVE-2025-20226 affects Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8 and Splunk Cloud Platform versions below 9.3.2408.107, 9.2.2406.111, and 9.1.2308.214. The vulnerability was disclosed on March 26, 2025, and allows a low-privileged user without admin or power roles to bypass SPL safeguards for risky commands on the '/services/streams/search' endpoint through its 'q' parameter (Splunk Advisory, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. The issue is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability specifically involves the ability to run a saved search with risky commands using the permissions of a higher-privileged user through the '/services/streams/search' endpoint's 'q' parameter (Splunk Advisory).

The vulnerability allows unauthorized access to sensitive information through privilege escalation. A successful exploit could enable a low-privileged user to execute risky commands with elevated permissions, potentially exposing confidential data. However, the impact is somewhat limited as the vulnerability requires user interaction and cannot be exploited at will (Splunk Advisory).

The primary mitigation is to upgrade Splunk Enterprise to versions 9.4.1, 9.3.3, 9.2.5, 9.1.8, or higher. For Splunk Cloud Platform, Splunk is actively monitoring and patching instances. As a workaround, organizations can disable Splunk Web, though this may impact functionality. Detailed information about disabling Splunk Web can be found in the web.conf configuration specification file (Splunk Advisory).