CVE-2026-20139
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the realname, tz, or email parameters of the /splunkd/__raw/services/authentication/users/username REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Splunk | Splunk Enterprise | 10.0 < 10.0.2 | affected |
| Splunk | Splunk Enterprise | 9.4 < 9.4.8 | affected |
| Splunk | Splunk Enterprise | 9.3 < 9.3.9 | affected |
| Splunk | Splunk Enterprise | 9.2 < 9.2.12 | affected |
| Splunk | Splunk Cloud Platform | 10.2.2510 < 10.2.2510.3 | affected |
| Splunk | Splunk Cloud Platform | 10.1.2507 < 10.1.2507.8 | affected |
| Splunk | Splunk Cloud Platform | 10.0.2503 < 10.0.2503.9 | affected |
| Splunk | Splunk Cloud Platform | 9.3.2411 < 9.3.2411.121 | affected |
Weaknesses
- CWE-400: The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.