vulnerability
Splunk: CVE-2023-22940: SPL Command Safeguards Bypass via the ‘collect’ SPL Command Aliases in Splunk Enterprise
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:M/Au:S/C:C/I:P/A:N) | Feb 14, 2023 | Apr 7, 2025 | Mar 25, 2026 |
Severity
7
CVSS
(AV:N/AC:M/Au:S/C:C/I:P/A:N)
Published
Feb 14, 2023
Added
Apr 7, 2025
Modified
Mar 25, 2026
Description
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, aliases of the ‘collect’ search processing language (SPL) command, including ‘summaryindex’, ‘sumindex’, ‘stash’,’ mcollect’, and ‘meventcollect’, were not designated as safeguarded commands. The commands could potentially allow for the exposing of data to a summary index that unprivileged users could access. The vulnerability requires a higher privileged user to initiate a request within their browser, and only affects instances with Splunk Web enabled.
Solution
splunk-upgrade-latest
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.