Improper Access Control in Data Model Acceleration in Splunk Enterprise

Advisory ID: SVD-2026-0402

CVE ID: CVE-2026-20203

Published: 2026-04-15

Last Update: 2026-04-15

CVSSv3.1 Score: 4.3, Medium

CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-284

Bug ID: VULN-25557

Description

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the admin or power Splunk roles, has write permission on the app, and does not hold the high-privilege capability accelerate_datamodel, could turn on or off Data Model Acceleration due to improper access control.

For more information see Accelerate data models and Define roles on the Splunk platform with capabilities.

Solution

Upgrade Splunk Enterprise to versions 10.2.2, 10.0.5, 9.4.10, 9.3.11, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise10.2REST API10.2.0 to 10.2.110.2.2
Splunk Enterprise10.0REST API10.0.0 to 10.0.410.0.5
Splunk Enterprise9.4REST API9.4.0 to 9.4.99.4.10
Splunk Enterprise9.3REST API9.3.0 to 9.3.109.3.11
Splunk Cloud Platform10.4.2603REST APINot AffectedNot Affected
Splunk Cloud Platform10.3.2512REST APIBelow 10.3.2512.610.3.2512.6
Splunk Cloud Platform10.2.2510REST APIBelow 10.2.2510.1010.2.2510.10
Splunk Cloud Platform10.1.2507REST APIBelow 10.1.2507.1910.1.2507.19
Splunk Cloud Platform10.0.2503REST APIBelow 10.0.2503.1310.0.2503.13
Splunk Cloud Platform9.3.2411REST APIBelow 9.3.2411.1279.3.2411.127

Mitigations and Workarounds

None

Detections

None

Severity

Splunk rates this vulnerability a 4.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N.

Acknowledgments

Mr Hack (try_to_hack) Santiago Lopez