CVE-2026-20139
Received Received - Intake
Client-Side DoS via Parameter Injection in Splunk Authentication API

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20139
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.2 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.9 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.9 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.12 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.8 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.8 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.3 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.121 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20139 is a medium-severity client-side denial-of-service (DoS) vulnerability in Splunk Enterprise and Splunk Cloud Platform. It affects versions prior to certain fixed releases. The vulnerability occurs because a low-privileged user without β€œadmin” or β€œpower” roles can inject a malicious payload into the realname, tz, or email parameters of the /splunkd/__raw/services/authentication/users/username REST API endpoint during a password change operation.

This malicious payload can cause significant delays in page load times or temporarily make Splunk Web unresponsive, resulting in a client-side DoS condition.

Impact Analysis

This vulnerability can impact you by causing a client-side denial-of-service (DoS) on Splunk Web. Specifically, it can significantly slow down page load times or temporarily render the Splunk Web interface unresponsive.

Since the attack can be performed by a low-privileged user without admin or power roles, it could disrupt normal operations or user experience without requiring elevated privileges.

Compliance Impact

I don't know

Detection Guidance

No specific detection methods or commands for identifying this vulnerability on a network or system are provided in the available information.

Mitigation Strategies

To mitigate this vulnerability, upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.8, 9.3.9, or 9.2.12 or later.

For Splunk Cloud Platform, upgrade to versions 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, or 9.3.2411.121 or later.

As a workaround, disabling Splunk Web can prevent exploitation of this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20139. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart