SB2026070226 - Splunk Python for Scientific Computing update for third-party components



SB2026070226 - Splunk Python for Scientific Computing update for third-party components

Published: July 2, 2026

Security Bulletin ID SB2026070226
CSH Severity
High
Patch available
YES
Number of vulnerabilities 19
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 5% Medium 79% Low 16%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 19 vulnerabilities.


1) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-34525)

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote attacker to bypass a security check and access a privileged sub application.

The vulnerability exists due to inconsistent interpretation of HTTP requests in Host header handling when processing requests with multiple Host headers through a reverse proxy. A remote attacker can send a specially crafted request with duplicate Host headers to bypass a security check and access a privileged sub application.

Exploitation is theoretically possible when a reverse proxy applies security rules based on the target Host and the application uses Application.add_domain().


2) HTTP response splitting (CVE-ID: CVE-2026-34520)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass security controls.

The vulnerability exists due to improper neutralization of control characters in HTTP response headers in the C parser (llhttp) when processing response header values. A remote attacker can send specially crafted header values to bypass security controls.

The issue can cause header values to be interpreted differently than expected by application logic or intermediary components such as reverse proxies.


3) Improper Certificate Validation (CVE-ID: CVE-2026-34073)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to bypass certificate name constraints validation.

The vulnerability exists due to improper certificate validation in the X.509 certificate validation logic when validating a peer name against a wildcard SAN certificate chain. A remote attacker can present a crafted certificate chain to bypass certificate name constraints validation.

Exploitation requires an uncommon X.509 topology involving an excluded subtree constraint that matches the peer name.


4) Improper handling of highly compressed data (CVE-ID: CVE-2026-44432)

CWE-ID: CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper handling of highly compressed data in the urllib3 streaming API when processing compressed HTTP responses from untrusted sources. A remote attacker can send a highly compressed response to cause a denial of service.

Exploitation requires either incremental reads of a Brotli-encoded response with at least two read or stream calls while using the official Brotli library, or calling HTTPResponse.drain_conn() after decompression has already started.


5) Information disclosure (CVE-ID: CVE-2026-44431)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in ProxyManager.connection_from_url().urlopen() when following cross-origin redirects with assert_same_host=False through a proxy. A remote attacker can trigger a cross-origin redirect to disclose sensitive information.

Sensitive headers such as Authorization, Cookie, and Proxy-Authorization may be forwarded across origins in this low-level redirect flow.


6) OS Command Injection (CVE-ID: CVE-2026-42271)

CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green


The vulnerability allows a remote user to execute arbitrary commands on the host.

The vulnerability exists due to improper neutralization of special elements used in an os command in the MCP stdio test endpoints when processing a full server configuration for stdio transport. A remote user can submit a specially crafted request containing command, args, and env fields to execute arbitrary commands on the host.

The issue affects POST /mcp-rest/test/connection and POST /mcp-rest/test/tools/list, and the supplied command is spawned as a subprocess with the privileges of the proxy process.


7) Improper access control (CVE-ID: CVE-2026-35029)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code, disclose sensitive information, and escalate privileges.

The vulnerability exists due to improper access control in the /config/update endpoint when handling configuration update requests. A remote user can modify proxy configuration and environment variables to execute arbitrary code, disclose sensitive information, and escalate privileges.

The issue can be exploited by a user who is already authenticated into the platform.


8) Improper Authentication (CVE-ID: CVE-2026-35030)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass authentication and assume a legitimate user's identity and permissions.

The vulnerability exists due to improper authentication in the OIDC userinfo cache when processing JWT authentication tokens with colliding cache keys. A remote attacker can craft a token whose first 20 characters match a legitimate user's cached token to bypass authentication and assume a legitimate user's identity and permissions.

Only deployments with JWT/OIDC authentication enabled are vulnerable, and the issue depends on a cached legitimate user's token being present.


9) Uncontrolled recursion (CVE-ID: CVE-2026-0994)

CWE-ID: CWE-674 - Uncontrolled Recursion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to uncontrolled recursion in within the google.protobuf.json_format.ParseDict(). A remote attacker can pass specially crafted input to the application and perform a denial of service attack. 


10) HTTP response splitting (CVE-ID: CVE-2026-34519)

CWE-ID: CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject extra headers into an HTTP response.

The vulnerability exists due to improper neutralization of CRLF sequences in HTTP headers in the Response reason parameter when creating a response with untrusted reason data. A remote attacker can supply a crafted reason value containing carriage return characters to inject extra headers into an HTTP response.

The issue is exploitable only if an application uses untrusted data in the response reason parameter.


11) Information disclosure (CVE-ID: CVE-2026-34518)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to exposure of sensitive information in redirect handling when following redirects to a different origin. A remote attacker can trigger a cross-origin redirect to disclose sensitive information.

Cookie and Proxy-Authorization headers are retained while the Authorization header is dropped during the redirect.


12) Resource exhaustion (CVE-ID: CVE-2026-34517)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper resource management in Request.post() when processing specially crafted multipart form fields. A remote attacker can send a specially crafted multipart request to cause a denial of service.

The issue affects non-file multipart fields that are read into memory before the client_max_size check is enforced.


13) Input validation error (CVE-ID: CVE-2026-34516)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to improper input validation in multipart header processing when parsing a response with an excessive number of multipart headers. A remote attacker can send a specially crafted response to cause a denial of service.

Other restrictions in place limit the impact of this vulnerability.


14) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-34515)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to server-side request forgery in the static resource handler on Windows when handling requests for static resources that reference a UNC path. A remote attacker can supply a crafted NTLMv2 remote path to disclose sensitive information.

This issue can expose NTLMv2 hash material and may also allow reading a local file on Windows systems.


15) CRLF injection (CVE-ID: CVE-2026-34514)

CWE-ID: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to inject extra headers into a multipart request.

The vulnerability exists due to improper neutralization of carriage return and line feed characters in multipart part content type header construction when constructing a multipart request with an attacker-controlled content_type parameter. A remote attacker can supply a crafted content_type value to inject extra headers into a multipart request.

The issue occurs if an application uses untrusted data for the multipart content_type parameter while constructing a request.


16) Resource exhaustion (CVE-ID: CVE-2026-34513)

CWE-ID: CWE-400 - Resource exhaustion

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to uncontrolled resource consumption in TCPConnector DNS cache when handling requests to a very large number of hosts. A remote attacker can cause an application to make requests to many different hosts to cause a denial of service.


17) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2026-22815)

CWE-ID: CWE-770 - Allocation of Resources Without Limits or Throttling

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to cause a denial of service.

The vulnerability exists due to allocation of resources without limits or throttling in header/trailer handling when processing an attacker-controlled request or response. A remote attacker can send a specially crafted request or response to cause a denial of service.


18) Insecure Temporary File (CVE-ID: CVE-2026-25645)

CWE-ID: CWE-377 - Insecure Temporary File

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to overwrite or substitute extracted files.

The vulnerability exists due to insecure temporary file handling in requests.utils.extract_zipped_paths() when extracting files from zip archives into the system temporary directory. A local user can pre-create a malicious file to overwrite or substitute extracted files.

Only applications that call extract_zipped_paths() directly are affected. User interaction is required to process a crafted zip archive.


19) Out-of-bounds read (CVE-ID: CVE-2026-39892)

CWE-ID: CWE-125 - Out-of-bounds read

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a local user to cause a denial of service.

The vulnerability exists due to out-of-bounds read in Python buffer-accepting APIs when processing a non-contiguous buffer. A local user can pass a specially crafted non-contiguous buffer to cause a denial of service.

The issue can read past the end of the buffer on Python versions later than 3.11.


Remediation

Install update from vendor's website.