Sensitive Information Disclosure in "_internal" index in Splunk Enterprise

Advisory ID: SVD-2026-0203

CVE ID: CVE-2026-20138

Published: 2026-02-18

Last Update: 2026-02-18

CVSSv3.1 Score: 6.8, Medium

CVSSv3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-532

Bug ID: VULN-49054

Description

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk _internal index could view the integrationKey, secretKey, and appSecretKey secrets, generated by Duo Two-Factor Authentication for Splunk Enterprise, in plain text.

See the following for more information:

Solution

Upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.7, 9.3.9, 9.2.11, or higher.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise10.2splunkdNot affectedN/A
Splunk Enterprise10.0splunkd10.0.0 to 10.0.110.0.2
Splunk Enterprise9.4splunkd9.4.0 to 9.4.69.4.7
Splunk Enterprise9.3splunkd9.3.0 to 9.3.89.3.9
Splunk Enterprise9.2splunkd9.2.0 to 9.2.109.2.11

Mitigations and Workarounds

To eliminate further risk and help ensure a high level of security in your environment, you must perform the following recommended actions:

  • Rotate the integrationKeysecret from your Duo configuration. You can find this key on your Duo Security configuration page or at Configuration > Details.
  • Rotate the secretKey secret from your Duo Security configuration or detail. You can find this key on your Duo Security configuration page or at Configuration > Details.
  • Manually generate the appSecretKey secret ( Duo Multi-Factor Authentication (MFA) vendor settings in the authentication.conf configuration file).

Detections

None

Severity

Splunk rates this vulnerability a 6.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.