CVE-2026-20166
Improper Access Control in Splunk Observability Cloud App Allows Token Exposure
Publication date: 2026-03-11
Last updated on: 2026-03-24
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| splunk | splunk | From 10.0.0 (inc) to 10.0.4 (exc) |
| splunk | splunk | 10.2.0 |
| splunk | splunk_cloud_platform | From 10.1.2507 (inc) to 10.1.2507.16 (exc) |
| splunk | splunk_cloud_platform | From 10.2.2510 (inc) to 10.2.2510.5 (exc) |
| splunk | splunk_cloud_platform | From 10.0.2503 (inc) to 10.0.2503.12 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-20166 is a medium-severity vulnerability in certain versions of Splunk Enterprise and Splunk Cloud Platform. It occurs because of improper access control in the Discover Splunk Observability Cloud app. This flaw allows a low-privileged user, who does not have the "admin" or "power" roles, to retrieve the Observability Cloud API access token.'}, {'type': 'paragraph', 'content': 'The vulnerability affects Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12. It does not affect earlier Splunk Enterprise versions below 9.4.9 and 9.3.10 because the vulnerable app is not included in those versions.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized low-privileged users to access the Observability Cloud API access token. With this token, an attacker could potentially gain access to sensitive observability data or perform actions within the Observability Cloud environment that should be restricted.
Such unauthorized access could lead to information exposure and compromise the confidentiality and integrity of your monitoring and observability data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
No specific detection methods or commands for identifying this vulnerability on a network or system are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Splunk Enterprise or Splunk Cloud Platform to the fixed versions where the issue is resolved.
- Upgrade Splunk Enterprise to version 10.2.1 or later if using 10.2.0, or to 10.0.4 or later if using versions 10.0.0 to 10.0.3.
- Upgrade Splunk Cloud Platform to at least 10.2.2510.5, 10.1.2507.16, or 10.0.2503.12 depending on your current version.
After upgrading, rotate the Observability API token to maintain security.
Alternatively, you can disable the Discover Splunk Observability Cloud app, which eliminates the risk without impact and reduces the severity to informational.