CVE-2026-20142
Received Received - Intake
Plaintext RSA Key Exposure in Splunk Search Head Cluster

Publication date: 2026-02-18

Last updated on: 2026-02-23

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the RSA `accessKey` value from the [<u>Authentication.conf</u> ](https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/configuration-file-reference/10.2.0-configuration-file-reference/authentication.conf)file, in plain text.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20142
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.2 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.11 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.9 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20142 is a vulnerability in Splunk Enterprise versions prior to 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11 that affects Splunk Search Head Cluster (SHC) deployments.

Users who have roles with access to the Splunk _internal index can view the RSA accessKey value stored in the Authentication.conf file in plaintext. This means sensitive information is exposed to users who should not have access to this secret key.

This vulnerability is classified as sensitive information disclosure (CWE-532) and has a CVSSv3.1 score of 6.8, indicating a medium severity. It requires adjacent network access and high privileges but no user interaction.

Impact Analysis

This vulnerability can lead to the exposure of the RSA accessKey in plaintext to users with certain access privileges, which compromises the confidentiality of sensitive authentication credentials.

An attacker or unauthorized user with access to the _internal index could misuse the exposed RSA accessKey to compromise the integrity and availability of the Splunk Enterprise environment.

Because the vulnerability impacts confidentiality, integrity, and availability at a high level, it could lead to unauthorized access, data breaches, or disruption of services.

Compliance Impact

I don't know

Detection Guidance

No specific detection methods or commands are provided in the available information to detect this vulnerability on your network or system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Splunk Enterprise deployment to one of the fixed versions: 10.0.2, 9.4.7, 9.3.9, 9.2.11, or any version 10.2 and above.

Additionally, it is recommended to rotate the RSA accessKey secret and update the authentication.conf file accordingly to prevent further risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20142. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart