Sensitive Information Disclosure through Log Files in Splunk Enterprise
Advisory ID: SVD-2026-0503
CVE ID: CVE-2026-20239
Published: 2026-05-20
Last Update: 2026-05-20
CVSSv3.1 Score: 7.5, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-532
Bug ID: VULN-65234
Description
In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the _internal index could view session cookies and response bodies that contain sensitive data.
The vulnerability is caused by missing output buffer sanitization in the TcpChannel component, which logs full I/O buffer contents at WARN level when discarding data during socket errors.
See About role-based user access in the Splunk documentation for more information.
Solution
Upgrade Splunk Enterprise to versions 10.2.2, 10.0.5, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.2 | splunkd | 10.2.0 to 10.2.1 | 10.2.2 |
| Splunk Enterprise | 10.0 | splunkd | 10.0.0 to 10.0.4 | 10.0.5 |
| Splunk Enterprise | 9.4 | splunkd | Not affected | N/A |
| Splunk Enterprise | 9.3 | splunkd | Not affected | N/A |
| Splunk Cloud Platform | 10.3.2512 | splunkd | Below 10.3.2512.8 | 10.3.2512.8 |
| Splunk Cloud Platform | 10.2.2510 | splunkd | Below 10.2.2510.11 | 10.2.2510.11 |
| Splunk Cloud Platform | 10.1.2507 | splunkd | Below 10.1.2507.21 | 10.1.2507.21 |
| Splunk Cloud Platform | 10.0.2503 | splunkd | Below 10.0.2503.13 | 10.0.2503.13 |
Mitigations and Workarounds
To eliminate further risk and help ensure a high level of security in your environment, review roles and capabilities on your instance and restrict _internal index access to administrator level roles. See Define roles on the Splunk platform with capabilities in the Splunk documentation for more information.
Detections
None
Severity
Splunk rates this vulnerability a 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Charlie Huggard, Splunk