Security Advisory 2022-037

Release Date:

Path Traversal SPL Injection in Splunk Products



  • 20/05/2022 --- v1.0 -- Initial publication


On May 3rd, 2022, Splunk released a security advisory for path traversal in search parameter that can potentiall allow external content injection [1]. An attacker can cause the application to load data from incorrect endpoints, URLs leading to outcomes such as running arbitrary SPL queries [3].

A vulnerability was found in Splunk Enterprise up to 8.1.1 and it has been declared as critical and named CVE-2022-26889 [1].

Technical Details

This vulnerability affects processing of the component Search Parameter Handler. The manipulation with an unknown input leads to a privilege escalation vulnerability. The exploitation appears to be easy. The attack can be initiated remotely. No authentication is required for a successful exploitation. Neither more technical details, nor an exploit is yet publicly available [2].

Affected products

Splunk Enterprise versions before 8.1.2. The vulnerability does not impact Splunk Cloud Platform instances [4].


CERT-EU strongly recommends to upgrade Splunk Enterprise to 8.1.2 or later.


The vulnerability impacts instances with Splunkweb enabled [1]. More information on disabling Splunkweb can be found in Securing Splunk Enterprise [5] and Splunk Enterprise administration manuals [6].








We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.