CVE-2026-20144

Summary

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured.

Affected Software

VendorProductVersion RangeStatus
SplunkSplunk Enterprise10.0 < 10.0.2affected
SplunkSplunk Enterprise9.4 < 9.4.7affected
SplunkSplunk Enterprise9.3 < 9.3.8affected
SplunkSplunk Enterprise9.2 < 9.2.11affected
SplunkSplunk Cloud Platform10.1.2507 < 10.1.2507.11affected
SplunkSplunk Cloud Platform10.0.2503 < 10.0.2503.9affected
SplunkSplunk Cloud Platform9.3.2411 < 9.3.2411.120affected

Weaknesses

  • CWE-532: Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References