CVE-2026-20239
Analyzed Analyzed - Analysis Complete
Sensitive Data Exposure in Splunk Enterprise and Splunk Cloud Platform

Publication date: 2026-05-20

Last updated on: 2026-05-21

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-20
Last Modified
2026-05-21
Generated
2026-06-10
AI Q&A
2026-05-20
EPSS Evaluated
2026-06-08
NVD
CVE-2026-20239
EUVD
EUVD-2026-31139
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.5 (exc)
splunk splunk From 10.2.0 (inc) to 10.2.2 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.13 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.21 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.11 (exc)
splunk splunk_cloud_platform From 10.3.2512 (inc) to 10.3.2512.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to sensitive information disclosure, including session cookies and response bodies, to users who have access to the _internal index.

Such exposure can compromise confidentiality, potentially allowing attackers or unauthorized users to hijack sessions or access sensitive data.

Detection Guidance

No official detection methods or specific commands have been provided for identifying this vulnerability on your network or system.

Executive Summary

CVE-2026-20239 is a high-severity vulnerability in Splunk Enterprise and Splunk Cloud Platform versions below certain releases. It allows a user with access to the _internal index to view sensitive information such as session cookies and response bodies.

The root cause is missing output buffer sanitization in the TcpChannel component, which logs full input/output buffer contents at WARN level during socket errors, exposing sensitive data in log files.

Mitigation Strategies

To mitigate this vulnerability, it is recommended to upgrade Splunk Enterprise to version 10.2.2 or later, and Splunk Cloud Platform to versions 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, or 10.0.2503.13 or later.

Alternatively, restrict access to the _internal index to administrator-level roles only to reduce the risk of sensitive data exposure.

Compliance Impact

This vulnerability allows users with access to the _internal index to view session cookies and response bodies containing sensitive data due to missing output buffer sanitization. Such exposure of sensitive information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive data from unauthorized access or disclosure.

To mitigate this risk and help maintain compliance, it is recommended to upgrade to the latest versions of Splunk Enterprise or Splunk Cloud Platform or restrict access to the _internal index to administrator-level roles only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20239. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart