Sensitive Information Disclosure through Improper Access Control in Splunk Enterprise
Advisory ID: SVD-2026-0303
CVE ID: CVE-2026-20164
Published: 2026-03-11
Last Update: 2026-03-11
CVSSv3.1 Score: 6.5, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Bug ID: VULN-43996
Description
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the “admin” or “power” Splunk roles could access the /splunkd/__raw/servicesNS/-/-/configs/conf-passwords REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials.
Solution
Upgrade Splunk Enterprise to versions 10.2.0, 10.0.3, 9.4.9, 9.3.10 or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.2 | REST API | Not affected | 10.2.0 |
| Splunk Enterprise | 10.0 | REST API | 10.0.0 to 10.0.2 | 10.0.3 |
| Splunk Enterprise | 9.4 | REST API | 9.4.0 to 9.4.8 | 9.4.9 |
| Splunk Enterprise | 9.3 | REST API | 9.3.0 to 9.3.9 | 9.3.10 |
| Splunk Cloud Platform | 10.2.2510 | REST API | Below 10.2.2510.5 | 10.2.2510.5 |
| Splunk Cloud Platform | 10.1.2507 | REST API | Below 10.1.2507.16 | 10.1.2507.16 |
| Splunk Cloud Platform | 10.0.2503 | REST API | Below 10.0.2503.11 | 10.0.2503.11 |
| Splunk Cloud Platform | 9.3.2411 | REST API | Below 9.3.2411.123 | 9.3.2411.123 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rates this vulnerability a 6.5, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N.
Acknowledgments
Alex Hordijk (hordalex)