An improper access control flaw in Splunk Enterprise and Splunk Cloud Platform allows users without the admin or power roles to call a REST API that exposes the passwords.conf file. The data returned can contain hashed or plaintext password values, giving the adversary untrusted credentials from the system. This results in potential compromise of service accounts and downstream systems that rely on those credentials, increasing the depth of the breach.

Splunk Enterprise versions earlier than 10.2.0, 10.0.3, 9.4.9, and 9.3.10 and Splunk Cloud Platform versions earlier than 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123 are affected. The vulnerability exists in the /splunkd/__raw/servicesNS/-/-/configs/conf-passwords REST endpoint and applies to all deployments of these products that use standard access controls.

The CVSS v3.1 score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of widespread, known exploitation. Nonetheless, an attacker who can authenticate as a low-privileged Splunk user can directly query the API endpoint and retrieve sensitive password data. The attack vector is inferred to be over the Splunk REST API (HTTP/HTTPS) and requires only application-level authentication, which most users possess.