VDB
CVE-2026-20137
CVE-2026-20137
PUBLISHED
CVSS 3.5 LOW
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.5, 9.3.7, and 9.2.9, and Splunk Cloud Platform versions below 10.1.2507.0, 10.0.2503.9, 9.3.2411.112, and 9.3.2408.122, a low-privileged user who does not hold the "admin" or "power" Splunk roles could bypass the SPL safeguards for risky commands when they create a Data Model that contains an injected SPL query within an object. They can bypass the safeguards by exploiting a path traversal vulnerability.
EPSS 0.04% · 13.2th percentile
Risk Scores
CVSS 3.1
3.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
EPSS Score
0.04%
13.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| splunk | splunk_cloud_platform | 10.1.2507, 9.3.2408, 9.3.2411 |
| Splunk | Splunk Cloud Platform | 10.1.2507, 9.3.2408, 9.3.2411 |
| splunk | splunk | 9.2.0, 9.3.0, 9.4.0 |
| Splunk | Splunk Enterprise | 9.4, 9.2, 9.3 |
Exploit Intelligence
Timeline
- Oct 8, 2025 CVE ID Reserved
- Feb 18, 2026 CVE Published
- Feb 18, 2026 CVE Updated
- Feb 19, 2026 EPSS Score
- Feb 21, 2026 EPSS Score
- Feb 22, 2026 EPSS Score
- Feb 24, 2026 EPSS Score
- Feb 26, 2026 EPSS Score
- Feb 28, 2026 EPSS Score
- Mar 1, 2026 EPSS Score
- Mar 3, 2026 EPSS Score
- Mar 5, 2026 EPSS Score
References
- https://advisory.splunk.com/advisories/SVD-2026-0202 url
- https://advisory.splunk.com/advisories/SVD-2026-0210 advisory
- https://advisory.splunk.com/advisories/SVD-2026-0206 advisory
- https://advisory.splunk.com/advisories/SVD-2026-0204 advisory
- https://advisory.splunk.com/advisories/SVD-2026-0211 advisory
- https://advisory.splunk.com/advisories/SVD-2026-0205 advisory
- https://advisory.splunk.com/advisories/SVD-2026-0203 advisory
- https://advisory.splunk.com/advisories/SVD-2026-0207 advisory
- https://advisory.splunk.com/advisories/SVD-2026-0209 advisory
- https://advisory.splunk.com/advisories/SVD-2026-0208 advisory
- https://advisory.splunk.com/advisories/SVD-2026-0212 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-20137 advisory