Sensitive Information Disclosure in "_internal" index in Splunk Enterprise
Advisory ID: SVD-2026-0207
CVE ID: CVE-2026-20142
Published: 2026-02-18
Last Update: 2026-02-18
CVSSv3.1 Score: 6.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-532
Bug ID: VULN-49054
Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk _internal index could view the RSA accessKey value from the Authentication.conf file, in plain text.
For more information see Configure RSA authentication from Splunk Web.
Solution
Upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.7, 9.3.9, 9.2.11, or higher.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.2 | splunkd | Not affected | 10.2.0 |
| Splunk Enterprise | 10.0 | splunkd | 10.0.0 to 10.0.1 | 10.0.2 |
| Splunk Enterprise | 9.4 | splunkd | 9.4.0 to 9.4.6 | 9.4.7 |
| Splunk Enterprise | 9.3 | splunkd | 9.3.0 to 9.3.8 | 9.3.9 |
| Splunk Enterprise | 9.2 | splunkd | 9.2.0 to 9.2.10 | 9.2.11 |
Mitigations and Workarounds
To eliminate further risk and help ensure a high level of security in your environment, you must perform the following recommended actions:
- Rotate the RSA Access Key (
accessKey) secret and update the new value in the authentication.conf configuration file. For more information see Configure RSA authentication from Splunk Web.
Detections
None
Severity
Splunk rates this vulnerability a 6.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.