Sensitive Information Disclosure in "_internal" index in Splunk Enterprise

Advisory ID: SVD-2026-0203

CVE ID: CVE-2026-20138

Published: 2026-02-18

Last Update: 2026-02-18

CVSSv3.1 Score: 6.8, Medium

CVSSv3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-532

Bug ID: VULN-49054

Description

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk _internal index could view the integrationKey, secretKey, and appSecretKey secrets, generated by Duo Two-Factor Authentication for Splunk Enterprise, in plain text.

See the following for more information:

Solution

Upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.7, 9.3.9, 9.2.11, or higher.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise10.2splunkdNot affected10.2.0
Splunk Enterprise10.0splunkd10.0.0 to 10.0.110.0.2
Splunk Enterprise9.4splunkd9.4.0 to 9.4.69.4.7
Splunk Enterprise9.3splunkd9.3.0 to 9.3.89.3.9
Splunk Enterprise9.2splunkd9.2.0 to 9.2.109.2.11

Mitigations and Workarounds

To eliminate further risk and help ensure a high level of security in your environment, you must perform the following recommended actions:

  • Rotate the integrationKeysecret from your Duo configuration. You can find this key on your Duo Security configuration page or at Configuration > Details.
  • Rotate the secretKey secret from your Duo Security configuration or detail. You can find this key on your Duo Security configuration page or at Configuration > Details.
  • Manually generate the appSecretKey secret ( Duo Multi-Factor Authentication (MFA) vendor settings in the authentication.conf configuration file).

Detections

None

Severity

Splunk rates this vulnerability a 6.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.