Sensitive Information Disclosure in ''_internal'' index in Splunk Enterprise
Advisory ID: SVD-2026-0209
CVE ID: CVE-2026-20144
Published: 2026-02-18
Last Update: 2026-02-18
CVSSv3.1 Score: 6.8, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-532
Bug ID: VULN-48743
Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for “Attribute query requests” (AQRs) or “Authentication extensions” in plain text within the conf.log file, depending on which feature is configured.
For more information, see:
- Specify searchable indexes for a role
- Configure authentication extensions to interface with your SAML identity provider
Solution
Upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.7, 9.3.8, 9.2.11, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.2 | splunkd | Not affected | 10.2.0 |
| Splunk Enterprise | 10.0 | splunkd | 10.0.0 to 10.0.1 | 10.0.2 |
| Splunk Enterprise | 9.4 | splunkd | 9.4.0 to 9.4.6 | 9.4.7 |
| Splunk Enterprise | 9.3 | splunkd | 9.3.0 to 9.3.7 | 9.3.8 |
| Splunk Enterprise | 9.2 | splunkd | 9.2.0 to 9.2.10 | 9.2.11 |
| Splunk Cloud Platform | 10.2.2510 | splunkd | Not affected | 10.2.2510.0 |
| Splunk Cloud Platform | 10.1.2507 | splunkd | Below 10.1.2507.11 | 10.1.2507.11 |
| Splunk Cloud Platform | 10.0.2503 | splunkd | Below 10.0.2503.9 | 10.0.2503.9 |
| Splunk Cloud Platform | 9.3.2411 | splunkd | Below 9.3.2411.120 | 9.3.2411.120 |
Mitigations and Workarounds
To eliminate further risk and help ensure a high level of security in your environment, you must perform the following recommended actions:
- Change the password that is currently specified in your SAML “Attribute query requests” (AQR ) configuration
- Rotate all the sensitive key values in your SAML “Authentication extensions > Script secure arguments” configuration.
You can access your SAML configuration by navigating to “Settings > Authentication methods > SAML - Configure Splunk to use SAML > SAML Config” in Splunk Web. See more information about configuring SAML AQR and SAML authentication extensions in the Splunk documentation: Configure authentication extensions to interface with your SAML identity provider.
Detections
None
Severity
Splunk rates this vulnerability a 6.8, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.