Splunk Enterprise
CVE-2026-20298
MEDIUM
Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Network attack via SPL/REST with low privilege required; AC:H reflects need for specific endpoint knowledge; confidentiality-only impact with no integrity or availability effect.
Primary rating from Vendor (cisco).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could view stored credential hashes when they access the /servicesNS/-/-/storage/passwords REST endpoint through the |rest Search Processing Language (SPL) command.<br><br>The exposure happens because the |rest SPL command returns the encr_password field in the results of the /servicesNS/-/-/storage/passwords REST endpoint.
AnalysisAI
Credential hash exposure in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users - those without the 'admin' or 'power' roles - to retrieve stored credential hashes by issuing the |rest SPL command against the /servicesNS/-/-/storage/passwords endpoint, which incorrectly returns the encr_password field. Affected are Splunk Enterprise branches below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and multiple Splunk Cloud Platform versions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) a valid Splunk user account that does NOT hold the 'admin' or 'power' role - any other authenticated user is potentially affected; (2) permission to run SPL searches, including the `|rest` command, on the Splunk instance; and (3) the presence of at least one credential entry in the Splunk passwords store (i.e., an app or manual entry must have stored credentials via this endpoint). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official CVSS 3.1 score of 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) correctly captures the high confidentiality impact against a constrained attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged Splunk user with search access opens a Splunk search window and executes `| rest /servicesNS/-/-/storage/passwords`, receiving JSON results that include the `encr_password` field containing stored credential hashes. The attacker exports these hashes and attempts offline cracking or, if the scheme permits, direct replay against the target external service for which the credential was stored. |
| Remediation | Upgrade Splunk Enterprise to version 10.4.1, 10.2.5, 10.0.8, or 9.4.13 in the respective maintenance branch; upgrade Splunk Cloud Platform to 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, or 10.1.2507.24 in the respective branch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe
In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la
In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets
In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more
In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t
In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a
Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and
Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today