CVE-2026-20144
Information Disclosure in Splunk SHC via SAML Configurations
Publication date: 2026-02-18
Last updated on: 2026-02-23
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| splunk | splunk | From 10.0.0 (inc) to 10.0.2 (exc) |
| splunk | splunk | From 9.3.0 (inc) to 9.3.8 (exc) |
| splunk | splunk_cloud_platform | From 9.3.2411 (inc) to 9.3.2411.120 (exc) |
| splunk | splunk_cloud_platform | From 10.0.2503 (inc) to 10.0.2503.9 (exc) |
| splunk | splunk | From 9.2.0 (inc) to 9.2.11 (exc) |
| splunk | splunk | From 9.4.0 (inc) to 9.4.7 (exc) |
| splunk | splunk_cloud_platform | From 10.1.2507 (inc) to 10.1.2507.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-20144 is a medium-severity sensitive information disclosure vulnerability affecting certain versions of Splunk Enterprise and Splunk Cloud Platform. It occurs in Splunk Search Head Cluster (SHC) deployments where users with roles that have access to the Splunk _internal index can view Security Assertion Markup Language (SAML) configurations related to Attribute Query Requests (AQRs) or Authentication extensions in plain text within the conf.log file.
This vulnerability exposes sensitive SAML configuration details, including passwords and secure script arguments, in log files accessible to authorized users. This exposure happens depending on which feature is configured and is due to information being logged in plain text.
How can this vulnerability impact me? :
The vulnerability can lead to credential compromise because sensitive SAML configuration details such as passwords and secure script arguments are exposed in logs accessible to users with certain privileges.
Since the vulnerability impacts confidentiality, integrity, and availability (all rated high), an attacker or unauthorized user with access to the logs could misuse the exposed information to gain unauthorized access or disrupt services.
However, exploitation requires high privileges (roles with access to the _internal index) and occurs without user interaction, with the attack vector being an adjacent network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
No specific detection methods or commands are provided for this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, upgrade Splunk Enterprise or Splunk Cloud Platform to the fixed versions: Splunk Enterprise 10.2.0, 10.0.2, 9.4.7, 9.3.8, or 9.2.11, or the corresponding fixed versions for Splunk Cloud Platform.'}, {'type': 'paragraph', 'content': 'Additionally, rotate passwords used in SAML Attribute Query Request (AQR) configurations and all sensitive key values in SAML Authentication extensionsβ "Script secure arguments."'}, {'type': 'paragraph', 'content': 'These configurations can be accessed and managed via Splunk Web under Settings > Authentication methods > SAML - Configure Splunk to use SAML > SAML Config.'}, {'type': 'paragraph', 'content': 'Splunk actively monitors and patches affected Cloud Platform instances.'}] [1]