{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20137", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.381Z", "datePublished": "2026-02-18T16:45:17.606Z", "dateUpdated": "2026-02-18T17:55:22.684Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "10.2", "status": "affected", "versionType": "custom", "lessThan": "10.2.0"}, {"version": "10.0", "status": "affected", "versionType": "custom", "lessThan": "10.0.3"}, {"version": "9.4", "status": "affected", "versionType": "custom", "lessThan": "9.4.5"}, {"version": "9.3", "status": "affected", "versionType": "custom", "lessThan": "9.3.7"}, {"version": "9.2", "status": "affected", "versionType": "custom", "lessThan": "9.2.9"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "10.1.2507", "status": "affected", "versionType": "custom", "lessThan": "10.1.2507.0"}, {"version": "10.0", "status": "affected", "versionType": "custom", "lessThan": "10.0.2503.9"}, {"version": "9.3.2411", "status": "affected", "versionType": "custom", "lessThan": "9.3.2411.112"}, {"version": "9.3.2408", "status": "affected", "versionType": "custom", "lessThan": "9.3.2408.122"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the \"admin\" or \"power\" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability."}], "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the \"admin\" or \"power\" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0202"}], "title": "Risky Commands Safeguards Bypass through preloaded Data Models due to Path Traversal vulnerability in Splunk Enterprise", "datePublic": "2026-02-18T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.", "cweId": "CWE-200"}]}], "source": {"advisory": "SVD-2026-0202"}, "credits": [{"lang": "en", "value": "Anton (therceman)"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-02-18T16:45:17.606Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T17:52:56.461958Z", "id": "CVE-2026-20137", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T17:55:22.684Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20137", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T17:52:56.461958Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T17:55:17.640Z"}}], "cna": {"title": "Risky Commands Safeguards Bypass through preloaded Data Models due to Path Traversal vulnerability in Splunk Enterprise", "source": {"advisory": "SVD-2026-0202"}, "credits": [{"lang": "en", "value": "Anton (therceman)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 3.5, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "10.2", "lessThan": "10.2.0", "versionType": "custom"}, {"status": "affected", "version": "10.0", "lessThan": "10.0.3", "versionType": "custom"}, {"status": "affected", "version": "9.4", "lessThan": "9.4.5", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.7", "versionType": "custom"}, {"status": "affected", "version": "9.2", "lessThan": "9.2.9", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "10.1.2507", "lessThan": "10.1.2507.0", "versionType": "custom"}, {"status": "affected", "version": "10.0", "lessThan": "10.0.2503.9", "versionType": "custom"}, {"status": "affected", "version": "9.3.2411", "lessThan": "9.3.2411.112", "versionType": "custom"}, {"status": "affected", "version": "9.3.2408", "lessThan": "9.3.2408.122", "versionType": "custom"}]}], "datePublic": "2026-02-18T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0202"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the \"admin\" or \"power\" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the \"admin\" or \"power\" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-200", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information."}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-02-18T16:45:17.606Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20137", "state": "PUBLISHED", "dateUpdated": "2026-02-18T17:55:22.684Z", "dateReserved": "2025-10-08T11:59:15.381Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2026-02-18T16:45:17.606Z", "assignerShortName": "cisco"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "FE00218E-F8B2-42DA-9E4E-D7A00B657B93", "versionEndExcluding": "9.2.9", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C6257ADA-AB6E-4679-A41B-BCE79CE8D573", "versionEndExcluding": "9.3.7", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "30970DF3-6DA7-4FAB-B234-3226F47F9C87", "versionEndExcluding": "9.4.5", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CB313879-7BD8-411A-B503-01689F0B326E", "versionEndExcluding": "10.0.3", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "2EEE3994-A508-46E7-81D6-C038C68235E7", "versionEndExcluding": "9.3.2408.122", "versionStartIncluding": "9.3.2408", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "8C929336-F50D-4AFC-BCF9-CCA5BF89E599", "versionEndExcluding": "9.3.2411.112", "versionStartIncluding": "9.3.2411", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "62714243-8A5F-4908-BD39-7B1026B8E7D7", "versionEndExcluding": "10.0.2503.9", "versionStartIncluding": "10.0.2503", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:10.1.2507:*:*:*:*:*:*:*", "matchCriteriaId": "56CBDDE1-EBD2-4E82-A7B7-CE4F0F27BF21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the \"admin\" or \"power\" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a 10.2.0, 10.0.3, 9.4.5, 9.3.7 y 9.2.9, y en las versiones de Splunk Cloud Platform anteriores a 10.1.2507.0, 10.0.2503.9, 9.3.2411.112 y 9.3.2408.122, un usuario con pocos privilegios que no posea los roles de Splunk 'admin' o 'power' podr\u00eda eludir las salvaguardas de SPL para comandos arriesgados cuando crea un Modelo de Datos que contiene una consulta SPL inyectada dentro de un objeto. Puede eludir las salvaguardas explotando una vulnerabilidad de salto de ruta."}], "id": "CVE-2026-20137", "lastModified": "2026-02-20T13:53:39.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "psirt@cisco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-18T18:24:22.637", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2026-0202"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "psirt@cisco.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.1.2507,10.1.2507.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.2503.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3.2411,9.3.2411.112)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3.2408,9.3.2408.122)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Cloud Platform", "source": "cna", "vendor": "Splunk"}, "product": "splunk_cloud_platform", "vendor": "splunk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2,10.2.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.4,9.4.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3,9.3.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.2,9.2.9)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Enterprise", "source": "cna", "vendor": "Splunk"}, "product": "splunk_enterprise", "vendor": "splunk"}], "analysis": {"en": {"generated_at": "2026-04-17T18:38:09.159274+00:00", "value": {"mitigation_remediation": ["Upgrade Splunk Enterprise to version 10.2.0 or higher, or 10.0.3 or higher, or 9.4.5 or higher, or 9.3.7 or higher, or 9.2.9 or higher; upgrade Splunk Cloud Platform to 10.1.2507.0 or higher, or 10.0.2503.9 or higher, or 9.3.2411.112 or higher, or 9.3.2408.122 or higher.", "Restrict the ability to create custom data models to users with admin or power roles, or enforce security settings that block unsafe data models for low\u2011privileged accounts.", "Monitor Splunk logs for path\u2011traversal attempts and anomalous data\u2011model creation events to detect and respond to potential exploitation."], "summary": {"action": "Patch", "impact": "Bypass of SPL safeguards for risky commands"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Splunk and its Cloud Platform. Splunk Enterprise releases older than version 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9 are susceptible, as are Splunk Cloud Platform releases older than 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122. All other enterprise and cloud versions are considered secure.", "description_and_impact": "An attacker with a low\u2011privilege account that lacks admin or power roles can exploit a path traversal flaw in Splunk Enterprise and Splunk Cloud Platform to inject a malicious SPL query into a custom data model. By doing so the SPL safeguards around risky commands are bypassed, allowing the attacker to execute commands that normally would be restricted. This could lead to unauthorized manipulation of data or further escalation of privileges.", "risk_and_exploitability": "The CVSS score of 3.5 classifies the flaw as low severity, and the EPSS score of less than 1% indicates that exploitation is unlikely at current exposure levels. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires local access or a low\u2011privileged user\u2019s ability to create data models, and it proceeds via a path\u2011traversal exploitation of the preloaded model loader. The path traversal and SPL injection jointly enable the bypass of command safeguards, providing the attacker a potential vector to execute risky commands and possibly gain elevated privileges."}}}}, "created": "2026-02-19T10:11:38.325620+00:00", "updated": "2026-04-17T18:45:25.549539+00:00", "vendors": ["splunk", "splunk$PRODUCT$splunk_cloud_platform", "splunk$PRODUCT$splunk_enterprise"]}