CVE-2026-20142
Received Received - Intake
Plaintext RSA Key Exposure in Splunk Search Head Cluster

Publication date: 2026-02-18

Last updated on: 2026-02-23

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the RSA `accessKey` value from the [<u>Authentication.conf</u> ](https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/configuration-file-reference/10.2.0-configuration-file-reference/authentication.conf)file, in plain text.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-23
Generated
2026-05-27
AI Q&A
2026-02-18
EPSS Evaluated
2026-05-25
NVD
CVE-2026-20142
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.2 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.11 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.9 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-20142 is a vulnerability in Splunk Enterprise versions prior to 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11 that affects Splunk Search Head Cluster (SHC) deployments.

Users who have roles with access to the Splunk _internal index can view the RSA accessKey value stored in the Authentication.conf file in plaintext. This means sensitive information is exposed to users who should not have access to this secret key.

This vulnerability is classified as sensitive information disclosure (CWE-532) and has a CVSSv3.1 score of 6.8, indicating a medium severity. It requires adjacent network access and high privileges but no user interaction.


How can this vulnerability impact me? :

This vulnerability can lead to the exposure of the RSA accessKey in plaintext to users with certain access privileges, which compromises the confidentiality of sensitive authentication credentials.

An attacker or unauthorized user with access to the _internal index could misuse the exposed RSA accessKey to compromise the integrity and availability of the Splunk Enterprise environment.

Because the vulnerability impacts confidentiality, integrity, and availability at a high level, it could lead to unauthorized access, data breaches, or disruption of services.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

No specific detection methods or commands are provided in the available information to detect this vulnerability on your network or system.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade your Splunk Enterprise deployment to one of the fixed versions: 10.0.2, 9.4.7, 9.3.9, 9.2.11, or any version 10.2 and above.

Additionally, it is recommended to rotate the RSA accessKey secret and update the authentication.conf file accordingly to prevent further risk.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart