CVE-2026-20139
Received Received - Intake
Client-Side DoS via Parameter Injection in Splunk Authentication API

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-05-07
AI Q&A
2026-02-18
EPSS Evaluated
2026-05-05
NVD
CVE-2026-20139
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.2 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.9 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.9 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.12 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.8 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.8 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.3 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.121 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-20139 is a medium-severity client-side denial-of-service (DoS) vulnerability in Splunk Enterprise and Splunk Cloud Platform. It affects versions prior to certain fixed releases. The vulnerability occurs because a low-privileged user without β€œadmin” or β€œpower” roles can inject a malicious payload into the realname, tz, or email parameters of the /splunkd/__raw/services/authentication/users/username REST API endpoint during a password change operation.

This malicious payload can cause significant delays in page load times or temporarily make Splunk Web unresponsive, resulting in a client-side DoS condition.


How can this vulnerability impact me? :

This vulnerability can impact you by causing a client-side denial-of-service (DoS) on Splunk Web. Specifically, it can significantly slow down page load times or temporarily render the Splunk Web interface unresponsive.

Since the attack can be performed by a low-privileged user without admin or power roles, it could disrupt normal operations or user experience without requiring elevated privileges.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

No specific detection methods or commands for identifying this vulnerability on a network or system are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Splunk Enterprise to versions 10.2.0, 10.0.2, 9.4.8, 9.3.9, or 9.2.12 or later.

For Splunk Cloud Platform, upgrade to versions 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, or 9.3.2411.121 or later.

As a workaround, disabling Splunk Web can prevent exploitation of this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart