CVE-2026-20138
Received Received - Intake

Information Disclosure in Splunk SHC Exposes Duo 2FA Secrets

Vulnerability report for CVE-2026-20138, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: Cisco Systems, Inc.

Description

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the `integrationKey`, `secretKey`, and `appSecretKey` secrets, generated by [Duo Two-Factor Authentication for Splunk Enterprise](https://duo.com/docs/splunk), in plain text.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-07-06
AI Q&A
2026-02-18
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.2 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.11 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.9 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-20138 is a medium-severity vulnerability affecting certain versions of Splunk Enterprise prior to 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11. In Splunk Search Head Cluster deployments, users who have roles with access to the internal Splunk index called "_internal" can view sensitive Duo Two-Factor Authentication secrets in plaintext.'}, {'type': 'paragraph', 'content': 'These secrets include the integrationKey, secretKey, and appSecretKey, which are used for Duo MFA integration and are stored in the authentication.conf configuration file. The vulnerability occurs because these secrets are exposed within the "_internal" index, making them searchable by authorized users, leading to sensitive information disclosure.'}] [1]

Impact Analysis

This vulnerability can lead to the disclosure of sensitive authentication secrets used for Duo Two-Factor Authentication in Splunk Enterprise. If an attacker or unauthorized user with high privileges accesses these secrets, they could potentially compromise the multi-factor authentication mechanism.

The impact includes a loss of confidentiality, integrity, and availability of the authentication system, as indicated by the CVSS score. This could allow attackers to bypass or weaken the security provided by Duo MFA, potentially leading to unauthorized access to systems protected by this authentication.

Compliance Impact

I don't know

Detection Guidance

No specific detection methods or commands are provided to identify this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.7, 9.3.9, 9.2.11, or later.

Additionally, rotate the integrationKey and secretKey via the Duo Security configuration page.

Manually generate a new appSecretKey in the authentication.conf file to further reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20138. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart