CVE-2026-20166
Received Received - Intake
Improper Access Control in Splunk Observability Cloud App Allows Token Exposure

Publication date: 2026-03-11

Last updated on: 2026-03-24

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control. This vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-20166
EUVD
EUVD-2026-11234
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.4 (exc)
splunk splunk 10.2.0
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.16 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.5 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-20166 is a medium-severity vulnerability in certain versions of Splunk Enterprise and Splunk Cloud Platform. It occurs because of improper access control in the Discover Splunk Observability Cloud app. This flaw allows a low-privileged user, who does not have the "admin" or "power" roles, to retrieve the Observability Cloud API access token.'}, {'type': 'paragraph', 'content': 'The vulnerability affects Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12. It does not affect earlier Splunk Enterprise versions below 9.4.9 and 9.3.10 because the vulnerable app is not included in those versions.'}] [1]

Impact Analysis

This vulnerability can impact you by allowing unauthorized low-privileged users to access the Observability Cloud API access token. With this token, an attacker could potentially gain access to sensitive observability data or perform actions within the Observability Cloud environment that should be restricted.

Such unauthorized access could lead to information exposure and compromise the confidentiality and integrity of your monitoring and observability data.

Compliance Impact

I don't know

Detection Guidance

No specific detection methods or commands for identifying this vulnerability on a network or system are provided in the available information.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Splunk Enterprise or Splunk Cloud Platform to the fixed versions where the issue is resolved.

  • Upgrade Splunk Enterprise to version 10.2.1 or later if using 10.2.0, or to 10.0.4 or later if using versions 10.0.0 to 10.0.3.
  • Upgrade Splunk Cloud Platform to at least 10.2.2510.5, 10.1.2507.16, or 10.0.2503.12 depending on your current version.

After upgrading, rotate the Observability API token to maintain security.

Alternatively, you can disable the Discover Splunk Observability Cloud app, which eliminates the risk without impact and reduces the severity to informational.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20166. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart