Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the _internal index could view session cookies and response bodies that contain sensitive data.
AnalysisAI
Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple branches below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13) allows authenticated users with a role granting access to the _internal index to view session cookies and response bodies containing sensitive data logged by the platform. Cisco-reported and patched by Splunk in advisory SVD-2026-0503, the issue is a CWE-532 sensitive-data-in-logs flaw rather than a remote code execution bug, with no public exploit identified at time of analysis.
Technical ContextAI
Splunk's _internal index stores the platform's own operational logs, including splunkd access logs and other internal telemetry generated by the indexer, search head, and forwarder components covered by the CPEs cpe:2.3:a:splunk:splunk_enterprise and cpe:2.3:a:splunk:splunk_cloud_platform. The underlying weakness is CWE-532 (Insertion of Sensitive Information into Log File): HTTP session cookies and full response bodies - which can contain authentication tokens, search results, or PII - were being written into log events that landed in _internal. Because Splunk's role-based access control treats _internal as a queryable index, any role granted read access to it (including custom roles or broadly-scoped power/admin-adjacent roles) could simply run a search to harvest those sensitive artifacts.
RemediationAI
Vendor-released patches are available: upgrade Splunk Enterprise to 10.2.2 or 10.0.5 (or later on each branch), and confirm Splunk Cloud Platform tenants are running at least 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, or 10.0.2503.13 as appropriate to your release train; Splunk Cloud customers are typically upgraded by Splunk but should verify via the advisory at https://advisory.splunk.com/advisories/SVD-2026-0503. As an immediate compensating control until patching, audit which roles grant read access to the _internal index and revoke that privilege from any role that does not strictly require it (note this will break dashboards, monitoring searches, and Splunk Monitoring Console views that rely on _internal); additionally, rotate any session cookies and credentials that may have been exposed in _internal logs, and consider purging or restricting historical _internal data through retention policy adjustments while accepting the loss of operational forensics for that window.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a
Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and
Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31139
GHSA-7mj7-jqh4-hc7f