CVE-2026-20144
Received Received - Intake
Information Disclosure in Splunk SHC via SAML Configurations

Publication date: 2026-02-18

Last updated on: 2026-02-23

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20144
EUVD
EUVD-2026-7936
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.2 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.8 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.120 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.9 (exc)
splunk splunk From 9.2.0 (inc) to 9.2.11 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.7 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20144 is a medium-severity sensitive information disclosure vulnerability affecting certain versions of Splunk Enterprise and Splunk Cloud Platform. It occurs in Splunk Search Head Cluster (SHC) deployments where users with roles that have access to the Splunk _internal index can view Security Assertion Markup Language (SAML) configurations related to Attribute Query Requests (AQRs) or Authentication extensions in plain text within the conf.log file.

This vulnerability exposes sensitive SAML configuration details, including passwords and secure script arguments, in log files accessible to authorized users. This exposure happens depending on which feature is configured and is due to information being logged in plain text.

Impact Analysis

The vulnerability can lead to credential compromise because sensitive SAML configuration details such as passwords and secure script arguments are exposed in logs accessible to users with certain privileges.

Since the vulnerability impacts confidentiality, integrity, and availability (all rated high), an attacker or unauthorized user with access to the logs could misuse the exposed information to gain unauthorized access or disrupt services.

However, exploitation requires high privileges (roles with access to the _internal index) and occurs without user interaction, with the attack vector being an adjacent network.

Compliance Impact

I don't know

Detection Guidance

No specific detection methods or commands are provided for this vulnerability.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, upgrade Splunk Enterprise or Splunk Cloud Platform to the fixed versions: Splunk Enterprise 10.2.0, 10.0.2, 9.4.7, 9.3.8, or 9.2.11, or the corresponding fixed versions for Splunk Cloud Platform.'}, {'type': 'paragraph', 'content': 'Additionally, rotate passwords used in SAML Attribute Query Request (AQR) configurations and all sensitive key values in SAML Authentication extensions’ "Script secure arguments."'}, {'type': 'paragraph', 'content': 'These configurations can be accessed and managed via Splunk Web under Settings > Authentication methods > SAML - Configure Splunk to use SAML > SAML Config.'}, {'type': 'paragraph', 'content': 'Splunk actively monitors and patches affected Cloud Platform instances.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20144. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart