Client-Side Denial of Service (DoS) through ''/splunkd/__raw/services/authentication/users/username'' REST API endpoint in Splunk Enterprise
Advisory ID: SVD-2026-0204
CVE ID: CVE-2026-20139
Published: 2026-02-18
Last Update: 2026-02-18
CVSSv3.1 Score: 4.3, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-400
Bug ID: VULN-30996
Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the “admin” or “power” Splunk roles could craft a malicious payload into the realname, tz, or email parameters of the /splunkd/__raw/services/authentication/users/username REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.
Solution
Upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.8, 9.3.9, 9.2.12, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.2 | Splunk Web | Not affected | 10.2.0 |
| Splunk Enterprise | 10.0 | Splunk Web | 10.0.0 to 10.0.1 | 10.0.2 |
| Splunk Enterprise | 9.4 | Splunk Web | 9.4.0 to 9.4.7 | 9.4.8 |
| Splunk Enterprise | 9.3 | Splunk Web | 9.3.0 to 9.3.8 | 9.3.9 |
| Splunk Enterprise | 9.2 | Splunk Web | 9.2.0 to 9.2.11 | 9.2.12 |
| Splunk Cloud Platform | 10.2.2510 | Splunk Web | Below 10.2.2510.3 | 10.2.2510.3 |
| Splunk Cloud Platform | 10.1.2507 | Splunk Web | Below 10.1.2507.8 | 10.1.2507.8 |
| Splunk Cloud Platform | 10.0.2503 | Splunk Web | Below 10.0.2503.9 | 10.0.2503.9 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Web | Below 9.3.2411.121 | 9.3.2411.121 |
Mitigations and Workarounds
The vulnerability affects instances with Splunk Web turned on, turning Splunk Web off is a possible workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification file for more information on turning off Splunk Web.
Detections
None
Severity
Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L.
Acknowledgments
STÖK / Fredrik Alexandersson