Detection Guidance

The vulnerability involves improper access control due to the srchFilter configuration in the authorize.conf file of the Splunk AI Toolkit app versions below 5.7.3. Detection involves checking if the vulnerable versions of the app are installed and if the srchFilter entry modifies the built-in 'user' role.

To detect this vulnerability on your system, you can:

• Verify the installed version of the Splunk AI Toolkit app to see if it is below 5.7.3.
• Inspect the authorize.conf file within the app directory for the presence of a srchFilter entry modifying the 'user' role.
• Check user roles and their inherited search filters to identify if the OR SPL operator is causing unintended access.

Example commands that may help in detection (assuming access to the Splunk server and its configuration files):

• Check the app version: `splunk display app splunk_ai_toolkit` or check the app's version.conf file.
• Search for srchFilter entries in authorize.conf: `grep -i srchFilter $SPLUNK_HOME/etc/apps/splunk_ai_toolkit/local/authorize.conf`
• Review user roles and their search filters via Splunk's REST API or CLI to identify if filters are combined with OR operators leading to access issues.

If these checks confirm the presence of the vulnerable configuration and app version, the system is likely affected.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-20238 is an improper access control vulnerability in the Splunk AI Toolkit app versions below 5.7.3.

A low-privileged user who does not have 'admin' or 'power' roles can access confidential data that should be restricted by srchFilter configurations on custom roles.

This happens because the app's authorize.conf file modifies the built-in 'user' role, and the Splunk platform combines inherited search filters using the OR SPL operator, which overrides more restrictive filters on child roles.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows low-privileged users to access confidential data that should be restricted, potentially exposing sensitive information.

Since the vulnerability leads to unauthorized data disclosure, it can compromise data confidentiality without affecting data integrity or availability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the vulnerability in Splunk AI Toolkit versions below 5.7.3, you should take the following immediate steps:

• Upgrade the Splunk AI Toolkit app to version 5.7.3 or higher.
• Disable the Splunk AI Toolkit app until the patch is applied.
• Edit the authorize.conf file to remove or override the srchFilter line that modifies the built-in 'user' role.
• Restrict access to the ai_agent_run_history_index index.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows low-privileged users to access confidential data that should be restricted, which can lead to unauthorized disclosure of sensitive information.

Such unauthorized access to confidential data may result in non-compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to sensitive personal and health information.

Therefore, organizations using affected versions of the Splunk AI Toolkit could face compliance risks if this vulnerability is exploited.

Useful 0 Not Useful 0