CVE-2026-20139 - Vulnerability Details

- Client-Side Denial of Service (DoS) through ''/splunkd/__raw/services/authentication/users/username'' REST API endpoint in Splunk Enterprise

Description

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.

Published: 2026-02-18

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A low‑privileged user lacking the admin or power role can submit a crafted payload to the realname, tz, or email parameters of the /splunkd/__raw/services/authentication/users/username REST API endpoint when changing a password. The payload may significantly delay page load times or temporarily make Splunk Web unresponsive, representing a client‑side denial‑of‑service effect. This weakness is a classic instance of CWE‑400: Input Validation Failure.

Affected Systems

Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121 are affected.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low exploitation probability at this time. The vulnerability has not been catalogued in the CISA KEV list. The attack vector is inferred to be a crafted HTTP request to the REST endpoint, performed by an unprivileged user who can submit the malicious parameters during a password change. Successful exploitation would yield a local client‑side denial‑of‑service but no compromise of confidentiality or integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Splunk

Splunk Enterprise

affected

Version	Status	Constraints
`10.0`	affected	< 10.0.2
`9.4`	affected	< 9.4.8
`9.3`	affected	< 9.3.9
`9.2`	affected	< 9.2.12

Splunk

Splunk Cloud Platform

affected

Version	Status	Constraints
`10.2.2510`	affected	< 10.2.2510.3
`10.1.2507`	affected	< 10.1.2507.8
`10.0.2503`	affected	< 10.0.2503.9
`9.3.2411`	affected	< 9.3.2411.121

Configuration 1 [-]

OR	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::

No data.

Vendor Product Confidence Versions

Splunk

Splunk Cloud Platform

100%

Version	Status	Scheme	Platform
`[10.2.2510,10.2.2510.3)`	affected	generic	—
`[10.1.2507,10.1.2507.8)`	affected	generic	—
`[10.0.2503,10.0.2503.9)`	affected	generic	—
`[9.3.2411,9.3.2411.121)`	affected	generic	—

Splunk

Splunk Enterprise

100%

Version	Status	Scheme	Platform
`[10.0,10.0.2)`	affected	generic	—
`[9.4,9.4.8)`	affected	generic	—
`[9.3,9.3.9)`	affected	generic	—
`[9.2,9.2.12)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Splunk Enterprise to a version where this vulnerability is fixed (>=10.2.0, 10.0.2, 9.4.8, 9.3.9, or 9.2.12).
Upgrade Splunk Cloud Platform to a non‑affected release (>=10.2.2510.3, 10.1.2507.8, 10.0.2503.9, or 9.3.2411.121).
Restrict the ability to change passwords to users with admin or power roles, and implement input validation or parameter sanitization for realname, tz, and email fields to prevent malicious payloads.

Generated by OpenCVE AI on April 17, 2026 at 18:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00087.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://advisory.splunk.com/advisories/SVD-2026-0204

History

Fri, 20 Feb 2026 14:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Splunk splunk
CPEs		cpe:2.3:a:splunk:splunk:::::enterprise:::* cpe:2.3:a:splunk:splunk_cloud_platform::::::::
Vendors & Products		Splunk splunk

Fri, 20 Feb 2026 01:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Splunk Splunk splunk Cloud Platform Splunk splunk Enterprise
Vendors & Products		Splunk Splunk splunk Cloud Platform Splunk splunk Enterprise

Wed, 18 Feb 2026 17:30:00 +0000

Type	Values Removed	Values Added
Description		In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.
Title		Client-Side Denial of Service (DoS) through ''/splunkd/__raw/services/authentication/users/username'' REST API endpoint in Splunk Enterprise
Weaknesses		CWE-400
References		https://advisory.splunk.com/advisories/SVD-2026-0204
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Splunk Splunk Splunk Cloud Platform Splunk Enterprise

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-02-18T16:45:32.308Z

Updated: 2026-02-19T19:28:04.863Z

Reserved: 2025-10-08T11:59:15.382Z

Link: CVE-2026-20139

Vulnrichment

Updated: 2026-02-19T19:27:50.436Z

NVD

Status : Analyzed

Published: 2026-02-18T18:24:26.497

Modified: 2026-02-20T13:47:44.000

Link: CVE-2026-20139

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object