Skip to main content

Splunk Enterprise CVE-2026-20298

MEDIUM
Information Exposure (CWE-200)
2026-07-15 cisco
5.3
CVSS 3.1 · NVD
Share

Severity by source

Vendor (cisco) PRIMARY
MEDIUM
qualitative
NVD
5.3 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network attack via SPL/REST with low privilege required; AC:H reflects need for specific endpoint knowledge; confidentiality-only impact with no integrity or availability effect.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cisco).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 17:52 vuln.today
CVE Published
Jul 15, 2026 - 17:18 cve.org
MEDIUM 5.3

DescriptionNVD

In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could view stored credential hashes when they access the /servicesNS/-/-/storage/passwords REST endpoint through the |rest Search Processing Language (SPL) command.<br><br>The exposure happens because the |rest SPL command returns the encr_password field in the results of the /servicesNS/-/-/storage/passwords REST endpoint.

AnalysisAI

Credential hash exposure in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users - those without the 'admin' or 'power' roles - to retrieve stored credential hashes by issuing the |rest SPL command against the /servicesNS/-/-/storage/passwords endpoint, which incorrectly returns the encr_password field. Affected are Splunk Enterprise branches below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and multiple Splunk Cloud Platform versions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Splunk with low-privileged account
Delivery
Execute `|rest /servicesNS/-/-/storage/passwords` SPL query
Exploit
Receive encr_password field in search results
Execution
Extract stored credential hashes
Persist
Crack hashes offline or replay credentials
Impact
Access external services with compromised credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires: (1) a valid Splunk user account that does NOT hold the 'admin' or 'power' role - any other authenticated user is potentially affected; (2) permission to run SPL searches, including the `|rest` command, on the Splunk instance; and (3) the presence of at least one credential entry in the Splunk passwords store (i.e., an app or manual entry must have stored credentials via this endpoint). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 score of 5.3 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) correctly captures the high confidentiality impact against a constrained attack surface. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged Splunk user with search access opens a Splunk search window and executes `| rest /servicesNS/-/-/storage/passwords`, receiving JSON results that include the `encr_password` field containing stored credential hashes. The attacker exports these hashes and attempts offline cracking or, if the scheme permits, direct replay against the target external service for which the credential was stored.
Remediation Upgrade Splunk Enterprise to version 10.4.1, 10.2.5, 10.0.8, or 9.4.13 in the respective maintenance branch; upgrade Splunk Cloud Platform to 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, or 10.1.2507.24 in the respective branch. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Splunk

View all
CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2024-36985 HIGH POC
8.8 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe

CVE-2023-46214 HIGH POC
8.8 Nov 16

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la

CVE-2023-32707 HIGH POC
8.8 Jun 01

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,

CVE-2022-43571 HIGH POC
8.8 Nov 03

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t

CVE-2022-43567 HIGH POC
8.8 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c

CVE-2023-22934 HIGH POC
8.0 Feb 14

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets

CVE-2022-43566 HIGH POC
8.0 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more

CVE-2024-36991 HIGH POC
7.5 Jul 01

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t

CVE-2024-36990 MEDIUM POC
6.5 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a

CVE-2017-17067 CRITICAL
9.8 Nov 30

Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and

CVE-2013-6771 CRITICAL
9.3 Aug 07

Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr

Share

CVE-2026-20298 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy