CVE-2026-20205
Received Received - Intake
Cleartext Session Token Exposure in Splunk MCP Server

Publication date: 2026-04-15

Last updated on: 2026-04-15

Assigner: Cisco Systems, Inc.

Description
In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-15
Generated
2026-05-07
AI Q&A
2026-04-15
EPSS Evaluated
2026-05-05
NVD
CVE-2026-20205
EUVD
EUVD-2026-22935
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
splunk mcp_server to 1.0.3 (exc)
splunk mcp_server_app to 1.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-20205 is a high-severity vulnerability in Splunk MCP Server app versions below 1.0.3. It allows users who have roles with access to the Splunk _internal index or the high-privilege capability mcp_tool_admin to view user session and authorization tokens in clear text.

Exploitation of this vulnerability requires either local access to log files or administrative access to internal indexes, which by default is restricted to the admin role.

This vulnerability impacts the confidentiality, integrity, and availability of sensitive information.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized disclosure of user session and authorization tokens, which compromises the confidentiality of sensitive information.

An attacker with access could potentially impersonate users or escalate privileges, impacting the integrity and availability of the system.

Because the tokens are exposed in clear text, it increases the risk of session hijacking or unauthorized access.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

No specific detection methods or commands are provided for identifying this vulnerability on your network or system.


What immediate steps should I take to mitigate this vulnerability?

The recommended immediate mitigation is to upgrade the Splunk MCP Server app to version 1.0.3 or higher.

Additionally, review roles and capabilities on your Splunk instance and restrict access to the internal _internal index to administrator-level roles only.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows users with certain high-privilege roles to view user session and authorization tokens in clear text, impacting confidentiality, integrity, and availability of sensitive information.

Such exposure of sensitive authentication data could lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information.

Mitigating this vulnerability by upgrading the Splunk MCP Server app and restricting access to internal indexes to administrator-level roles is essential to maintain compliance.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart