CVE-2026-20144
MEDIUMCVSS Vector
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured.
Analysis
Splunk Enterprise and Splunk Cloud Platform deployments expose SAML authentication configurations in plaintext logs accessible to users with Search Head Cluster administrative roles and _internal index access, allowing credential and authentication extension disclosure. Affected versions include Splunk Enterprise below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, as well as Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running Splunk Enterprise and apply vendor patches as part of regular patch cycle. Review data exposure and access controls.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today