Splunk
CVE-2026-20138
MEDIUM
Severity by source
AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk _internal index could view the integrationKey, secretKey, and appSecretKey secrets, generated by Duo Two-Factor Authentication for Splunk Enterprise, in plain text.
AnalysisAI
Splunk Search Head Cluster deployments below versions 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11 expose Duo Two-Factor Authentication secrets (integrationKey, secretKey, appSecretKey) in plain text to users with access to the _internal index and appropriate roles. An authenticated attacker with these privileges could retrieve sensitive credentials and compromise Duo authentication controls for the Splunk environment. No patch is currently available for this vulnerability.
Technical ContextAI
Classified as CWE-532 (Insertion of Sensitive Information into Log File). Affects Splunk. In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk _internal index could view the integrationKey, secretKey, and appSecretKey secrets, generated by Duo Two-Factor Authentication for Splunk Enterprise, in plain text.
RemediationAI
Monitor vendor advisories for a patch.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a
Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and
Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today