CVE-2026-20165
Received Received - Intake
Improper Access Control in Splunk MongoClient Logs Exposes Data

Publication date: 2026-03-11

Last updated on: 2026-03-24

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20165
EUVD
EUVD-2026-11232
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
splunk splunk From 9.4.0 (inc) to 9.4.9 (exc)
splunk splunk From 10.0.0 (inc) to 10.0.4 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.10 (exc)
splunk splunk 10.2.0
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.12 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.124 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.17 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-20165 is a medium-severity vulnerability in Splunk Enterprise and Splunk Cloud Platform that allows low-privileged users without "admin" or "power" roles to access sensitive information.'}, {'type': 'paragraph', 'content': "This happens because of improper access control in the MongoClient logging channel, which lets these users inspect the job's search log and retrieve sensitive data."}, {'type': 'paragraph', 'content': 'The vulnerability affects specific versions of Splunk Enterprise and Splunk Cloud Platform below certain fixed releases.'}] [1]

Impact Analysis

This vulnerability can lead to the exposure of sensitive information to unauthorized users who have low privileges within the Splunk environment.

Such exposure could compromise confidentiality, potentially allowing attackers or unauthorized users to gain insights into sensitive data or system operations.

The CVSS score of 6.3 indicates a moderate risk, with impacts on confidentiality, integrity, and availability.

Compliance Impact

I don't know

Detection Guidance

No specific detection methods or commands for identifying this vulnerability on your network or system are provided in the available information.

Mitigation Strategies

The recommended mitigation is to upgrade Splunk Enterprise or Splunk Cloud Platform to the fixed versions: Splunk Enterprise 10.2.1, 10.0.4, 9.4.9, or 9.3.10, or the corresponding fixed versions for Splunk Cloud Platform.

As a workaround, disabling Splunk Web, which must be enabled for the vulnerability to be exploitable, can serve as an immediate mitigation step.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20165. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart