CVE-2026-20205
Received Received - Intake
Cleartext Session Token Exposure in Splunk MCP Server

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Cisco Systems, Inc.

Description
In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20205
EUVD
EUVD-2026-22935
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
splunk mcp_server to 1.0.3 (exc)
splunk mcp_server_app to 1.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20205 is a high-severity vulnerability in Splunk MCP Server app versions below 1.0.3. It allows users who have roles with access to the Splunk _internal index or the high-privilege capability mcp_tool_admin to view user session and authorization tokens in clear text.

Exploitation of this vulnerability requires either local access to log files or administrative access to internal indexes, which by default is restricted to the admin role.

This vulnerability impacts the confidentiality, integrity, and availability of sensitive information.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of user session and authorization tokens, which compromises the confidentiality of sensitive information.

An attacker with access could potentially impersonate users or escalate privileges, impacting the integrity and availability of the system.

Because the tokens are exposed in clear text, it increases the risk of session hijacking or unauthorized access.

Detection Guidance

No specific detection methods or commands are provided for identifying this vulnerability on your network or system.

Mitigation Strategies

The recommended immediate mitigation is to upgrade the Splunk MCP Server app to version 1.0.3 or higher.

Additionally, review roles and capabilities on your Splunk instance and restrict access to the internal _internal index to administrator-level roles only.

Compliance Impact

This vulnerability allows users with certain high-privilege roles to view user session and authorization tokens in clear text, impacting confidentiality, integrity, and availability of sensitive information.

Such exposure of sensitive authentication data could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

Mitigating this vulnerability by upgrading the Splunk MCP Server app and restricting access to internal indexes to administrator-level roles is essential to maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart