vulnerability

Splunk: CVE-2023-32717: Role-based Access Control (RBAC) Bypass on '/services/indexing/preview' REST Endpoint Can Overwrite Search Results

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:N/I:P/A:N)	Jun 1, 2023	Apr 7, 2025	Oct 31, 2025

Severity

CVSS

(AV:N/AC:L/Au:S/C:N/I:P/A:N)

Published

Jun 1, 2023

Added

Apr 7, 2025

Modified

Oct 31, 2025

Description

An unauthorized user can access the ‘/services/indexing/preview’ REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job. This is because the endpoint does not honor role-based access controls (RBAC) with respect to SID ownership. The exploit requires that the user hold a role that has the ‘edit_monitor’ and ‘edit_upload_and_index’ capabilities assigned to it.

Solution

splunk-upgrade-latest

References

CVE-2023-32717
https://attackerkb.com/topics/CVE-2023-32717
URL-https://advisory.splunk.com/advisories/SVD-2023-0612.html
CWE-285

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today