CVE-2026-20138
Information Disclosure in Splunk SHC Exposes Duo 2FA Secrets
Publication date: 2026-02-18
Last updated on: 2026-02-20
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| splunk | splunk | From 10.0.0 (inc) to 10.0.2 (exc) |
| splunk | splunk | From 9.2.0 (inc) to 9.2.11 (exc) |
| splunk | splunk | From 9.3.0 (inc) to 9.3.9 (exc) |
| splunk | splunk | From 9.4.0 (inc) to 9.4.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-20138 is a medium-severity vulnerability affecting certain versions of Splunk Enterprise prior to 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11. In Splunk Search Head Cluster deployments, users who have roles with access to the internal Splunk index called "_internal" can view sensitive Duo Two-Factor Authentication secrets in plaintext.'}, {'type': 'paragraph', 'content': 'These secrets include the integrationKey, secretKey, and appSecretKey, which are used for Duo MFA integration and are stored in the authentication.conf configuration file. The vulnerability occurs because these secrets are exposed within the "_internal" index, making them searchable by authorized users, leading to sensitive information disclosure.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to the disclosure of sensitive authentication secrets used for Duo Two-Factor Authentication in Splunk Enterprise. If an attacker or unauthorized user with high privileges accesses these secrets, they could potentially compromise the multi-factor authentication mechanism.
The impact includes a loss of confidentiality, integrity, and availability of the authentication system, as indicated by the CVSS score. This could allow attackers to bypass or weaken the security provided by Duo MFA, potentially leading to unauthorized access to systems protected by this authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
No specific detection methods or commands are provided to identify this vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.7, 9.3.9, 9.2.11, or later.
Additionally, rotate the integrationKey and secretKey via the Duo Security configuration page.
Manually generate a new appSecretKey in the authentication.conf file to further reduce risk.