Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic dashboards by redirecting a victim to an external site using a protocol-relative URL in a drill-down link.<br><br>The vulnerability exists because the URL classifier in classic dashboards only recognizes `http://` and `https://` schemes when checking for external URLs. Protocol-relative URLs such as `//attacker.com` bypass this check entirely, and Splunk Web does not show the external-navigation warning dialog to the victim.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Affected products
- Splunk / Splunk Cloud Platform9.3.2411 – 9.3.2411.132
- Splunk / Splunk Cloud Platform10.3.2512 – 10.3.2512.13
- Splunk / Splunk Cloud Platform10.2.2510 – 10.2.2510.15
- Splunk / Splunk Cloud Platform10.1.2507 – 10.1.2507.23
- Splunk / Splunk Enterprise10.2 – 10.2.4
- Splunk / Splunk Enterprise10.0 – 10.0.7
- Splunk / Splunk Enterprise9.4 – 9.4.12
- Splunk / Splunk Enterprise9.3 – 9.3.13
References
- VENDOR_ADVISORYhttps://advisory.splunk.com/advisories/SVD-2026-0606