CVE-2026-20165
Received Received - Intake
Improper Access Control in Splunk MongoClient Logs Exposes Data

Publication date: 2026-03-11

Last updated on: 2026-03-24

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-24
Generated
2026-05-27
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-25
NVD
CVE-2026-20165
EUVD
EUVD-2026-11232
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
splunk splunk From 9.4.0 (inc) to 9.4.9 (exc)
splunk splunk From 10.0.0 (inc) to 10.0.4 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.10 (exc)
splunk splunk 10.2.0
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.12 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.124 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.17 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': 'CVE-2026-20165 is a medium-severity vulnerability in Splunk Enterprise and Splunk Cloud Platform that allows low-privileged users without "admin" or "power" roles to access sensitive information.'}, {'type': 'paragraph', 'content': "This happens because of improper access control in the MongoClient logging channel, which lets these users inspect the job's search log and retrieve sensitive data."}, {'type': 'paragraph', 'content': 'The vulnerability affects specific versions of Splunk Enterprise and Splunk Cloud Platform below certain fixed releases.'}] [1]


How can this vulnerability impact me? :

This vulnerability can lead to the exposure of sensitive information to unauthorized users who have low privileges within the Splunk environment.

Such exposure could compromise confidentiality, potentially allowing attackers or unauthorized users to gain insights into sensitive data or system operations.

The CVSS score of 6.3 indicates a moderate risk, with impacts on confidentiality, integrity, and availability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

No specific detection methods or commands for identifying this vulnerability on your network or system are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

The recommended mitigation is to upgrade Splunk Enterprise or Splunk Cloud Platform to the fixed versions: Splunk Enterprise 10.2.1, 10.0.4, 9.4.9, or 9.3.10, or the corresponding fixed versions for Splunk Cloud Platform.

As a workaround, disabling Splunk Web, which must be enabled for the vulnerability to be exploitable, can serve as an immediate mitigation step.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart