CVE-2026-20138
Received Received - Intake
Information Disclosure in Splunk SHC Exposes Duo 2FA Secrets

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the `integrationKey`, `secretKey`, and `appSecretKey` secrets, generated by [Duo Two-Factor Authentication for Splunk Enterprise](https://duo.com/docs/splunk), in plain text.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20138
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.2 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.11 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.9 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-20138 is a medium-severity vulnerability affecting certain versions of Splunk Enterprise prior to 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11. In Splunk Search Head Cluster deployments, users who have roles with access to the internal Splunk index called "_internal" can view sensitive Duo Two-Factor Authentication secrets in plaintext.'}, {'type': 'paragraph', 'content': 'These secrets include the integrationKey, secretKey, and appSecretKey, which are used for Duo MFA integration and are stored in the authentication.conf configuration file. The vulnerability occurs because these secrets are exposed within the "_internal" index, making them searchable by authorized users, leading to sensitive information disclosure.'}] [1]

Impact Analysis

This vulnerability can lead to the disclosure of sensitive authentication secrets used for Duo Two-Factor Authentication in Splunk Enterprise. If an attacker or unauthorized user with high privileges accesses these secrets, they could potentially compromise the multi-factor authentication mechanism.

The impact includes a loss of confidentiality, integrity, and availability of the authentication system, as indicated by the CVSS score. This could allow attackers to bypass or weaken the security provided by Duo MFA, potentially leading to unauthorized access to systems protected by this authentication.

Compliance Impact

I don't know

Detection Guidance

No specific detection methods or commands are provided to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.7, 9.3.9, 9.2.11, or later.

Additionally, rotate the integrationKey and secretKey via the Duo Security configuration page.

Manually generate a new appSecretKey in the authentication.conf file to further reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart