Skip to main content

Splunk Enterprise CVE-2026-20239

| EUVDEUVD-2026-31139 HIGH
Insertion of Sensitive Information into Log File (CWE-532)
2026-05-20 cisco GHSA-7mj7-jqh4-hc7f
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
May 20, 2026 - 18:30 vuln.today
Patch available
May 20, 2026 - 18:02 EUVD

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the _internal index could view session cookies and response bodies that contain sensitive data.

AnalysisAI

Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple branches below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13) allows authenticated users with a role granting access to the _internal index to view session cookies and response bodies containing sensitive data logged by the platform. Cisco-reported and patched by Splunk in advisory SVD-2026-0503, the issue is a CWE-532 sensitive-data-in-logs flaw rather than a remote code execution bug, with no public exploit identified at time of analysis.

Technical ContextAI

Splunk's _internal index stores the platform's own operational logs, including splunkd access logs and other internal telemetry generated by the indexer, search head, and forwarder components covered by the CPEs cpe:2.3:a:splunk:splunk_enterprise and cpe:2.3:a:splunk:splunk_cloud_platform. The underlying weakness is CWE-532 (Insertion of Sensitive Information into Log File): HTTP session cookies and full response bodies - which can contain authentication tokens, search results, or PII - were being written into log events that landed in _internal. Because Splunk's role-based access control treats _internal as a queryable index, any role granted read access to it (including custom roles or broadly-scoped power/admin-adjacent roles) could simply run a search to harvest those sensitive artifacts.

RemediationAI

Vendor-released patches are available: upgrade Splunk Enterprise to 10.2.2 or 10.0.5 (or later on each branch), and confirm Splunk Cloud Platform tenants are running at least 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, or 10.0.2503.13 as appropriate to your release train; Splunk Cloud customers are typically upgraded by Splunk but should verify via the advisory at https://advisory.splunk.com/advisories/SVD-2026-0503. As an immediate compensating control until patching, audit which roles grant read access to the _internal index and revoke that privilege from any role that does not strictly require it (note this will break dashboards, monitoring searches, and Splunk Monitoring Console views that rely on _internal); additionally, rotate any session cookies and credentials that may have been exposed in _internal logs, and consider purging or restricting historical _internal data through retention policy adjustments while accepting the loss of operational forensics for that window.

More in Splunk

View all
CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2024-36985 HIGH POC
8.8 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe

CVE-2023-46214 HIGH POC
8.8 Nov 16

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la

CVE-2023-32707 HIGH POC
8.8 Jun 01

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,

CVE-2022-43571 HIGH POC
8.8 Nov 03

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t

CVE-2022-43567 HIGH POC
8.8 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c

CVE-2023-22934 HIGH POC
8.0 Feb 14

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets

CVE-2022-43566 HIGH POC
8.0 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more

CVE-2024-36991 HIGH POC
7.5 Jul 01

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t

CVE-2024-36990 MEDIUM POC
6.5 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a

CVE-2017-17067 CRITICAL
9.8 Nov 30

Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and

CVE-2013-6771 CRITICAL
9.3 Aug 07

Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr

Share

CVE-2026-20239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy