Sensitive Information Disclosure through the storage/passwords REST Endpoint in Splunk Enterprise

Advisory ID: SVD-2026-0704

CVE ID: CVE-2026-20298

Published: 2026-07-15

Last Update: 2026-07-15

CVSSv3.1 Score: 5.3, Medium

CWE: CWE-200

Bug ID: VULN-42856

Description

In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could view stored credential hashes when they access the /servicesNS/-/-/storage/passwords REST endpoint through the |rest Search Processing Language (SPL) command.

The exposure happens because the |rest SPL command returns the encr_password field in the results of the /servicesNS/-/-/storage/passwords REST endpoint.

Solution

To fix the problem, perform the following procedure on Splunk Enterprise:
1. Upgrade Splunk Enterprise to versions 10.4.1, 10.2.5, 10.0.8, 9.4.13, or higher.
2. In the limits.conf configuration file, under the [storage_passwords_masking] stanza, set mask_encr_password = true.
3. Restart the Splunk Enterprise instance.

For more information, see How to edit a configuration file and the limits.conf configuration specification file.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise10.4REST API10.4.0 to 10.4.010.4.1
Splunk Enterprise10.2REST API10.2.0 to 10.2.410.2.5
Splunk Enterprise10.0REST API10.0.0 to 10.0.710.0.8
Splunk Enterprise9.4REST API9.4.0 to 9.4.129.4.13
Splunk Cloud Platform10.5.2605REST APIBelow 10.5.2605.010.5.2605.0
Splunk Cloud Platform10.4.2604REST APIBelow 10.4.2604.610.4.2604.6
Splunk Cloud Platform10.3.2512REST APIBelow 10.3.2512.1510.3.2512.15
Splunk Cloud Platform10.2.2510REST APIBelow 10.2.2510.1810.2.2510.18
Splunk Cloud Platform10.1.2507REST APIBelow 10.1.2507.2410.1.2507.24

Mitigations and Workarounds

None

Detections

None

Severity

Splunk rates this vulnerability a 5.3, Medium, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N.