Improper Input Validation during User Account Creation in Splunk Enterprise
Advisory ID: SVD-2026-0401
CVE ID: CVE-2026-20202
Published: 2026-04-15
Last Update: 2026-04-15
CVSSv3.1 Score: 6.6, Medium
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-176
Bug ID: VULN-48726
Description
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability edit_usercould create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.
This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
See Define roles on the Splunk platform with capabilities and props.conf for more information.
Solution
Upgrade Splunk Enterprise to versions 10.2.2, 10.0.5, 9.4.10, 9.3.11, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.2 | REST API | 10.2.0 to 10.2.1 | 10.2.2 |
| Splunk Enterprise | 10.0 | REST API | 10.0.0 to 10.0.4 | 10.0.5 |
| Splunk Enterprise | 9.4 | REST API | 9.4.0 to 9.4.9 | 9.4.10 |
| Splunk Enterprise | 9.3 | REST API | 9.3.0 to 9.3.10 | 9.3.11 |
| Splunk Cloud Platform | 10.4.2603 | REST API | Not Affected | Not Affected |
| Splunk Cloud Platform | 10.3.2512 | REST API | Below 10.3.2512.6 | 10.3.2512.6 |
| Splunk Cloud Platform | 10.2.2510 | REST API | Below 10.2.2510.10 | 10.2.2510.10 |
| Splunk Cloud Platform | 10.1.2507 | REST API | Below 10.1.2507.20 | 10.1.2507.20 |
| Splunk Cloud Platform | 10.0.2503 | REST API | Below 10.0.2503.13 | 10.0.2503.13 |
| Splunk Cloud Platform | 9.3.2411 | REST API | Below 9.3.2411.127 | 9.3.2411.127 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rates this vulnerability a 6.6, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Ryan Luke
Mahfujur Rahman (mahfujwhh)