Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured.
Published: 2026-02-18
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Apply Patch
AI Analysis

Impact

This vulnerability permits a user who has access to the _internal index in a Splunk Search Head Cluster to read the conf.log file. The log file reveals plain text SAML configuration details for Attribute Query Requests or Authentication extensions, which is a form of sensitive data exposure matching CWE-532. The exposed information could aid an adversary in mapping authentication flows or identifying potential weak spots in the SAML setup, though it does not directly grant system privileges or credentials.

Affected Systems

Affected systems include Splunk Enterprise versions lower than 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, as well as Splunk Cloud Platform versions lower than 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120. The issue arises in deployments that use a Search Head Cluster where a role grants index access to the _internal data source.

Risk and Exploitability

The CVSS score of 6.8 indicates moderate severity, while the EPSS score of <1% reflects a very low probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a user with sufficient role privileges on a Search Head Cluster; once that access is present, the attacker can read SAML configuration data from logs without network interaction, making the attack local to authorized users only.

Generated by OpenCVE AI on April 17, 2026 at 18:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to version 10.2.0 or newer, or at least to the latest patch level that removes the exposed log entry.
  • Upgrade Splunk Cloud Platform to 10.2.2510.0 or newer, or the latest patch that addresses the log disclosure.
  • Restrict user roles that have access to the _internal index and conf.log from the Search Head Cluster to only those who genuinely need it.
  • If an immediate upgrade is not feasible, disable or restrict the SAML features that produce the sensitive log entries until a patch can be applied.

Generated by OpenCVE AI on April 17, 2026 at 18:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Splunk splunk
CPEs cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*
Vendors & Products Splunk splunk

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 18 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the the Splunk _internal index could view the Security Assertion Markup Language (SAML) configurations for Attribute query requests (AQRs) or Authentication extensions in plain text within the conf.log file, depending on which feature is configured.
Title Sensitive Information Disclosure in ''_internal'' index in Splunk Enterprise
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Splunk Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-02-26T14:44:16.610Z

Reserved: 2025-10-08T11:59:15.384Z

Link: CVE-2026-20144

cve-icon Vulnrichment

Updated: 2026-02-18T17:58:31.646Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T18:24:29.220

Modified: 2026-02-23T14:43:22.443

Link: CVE-2026-20144

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses