A low‑privileged user that does not have the "admin" or "power" Splunk roles can retrieve the Observeability Cloud API access token through the Discover Splunk Observability Cloud app. Improper access control allows this disclosure, which is a classic information‑disclosure weakness identified as CWE‑200. The exposed token could enable the attacker to make authenticated API calls and potentially access, modify, or exfiltrate data within the Splunk environment.

The vulnerability affects Splunk Enterprise versions below 10.2.1 and 10.0.4, as well as Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12. Versions earlier than 9.4.9 for Enterprise and 9.3.10 are not affected because the Discover app is not included with those releases.

The CVSS score of 5.4 indicates a moderate severity, and the EPSS score of less than 1% reflects a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker only needs a low‑privileged account with access to the Splunk instance and the Discover app to obtain the token; no administrative privileges or remote code execution are required. This makes the attack relatively easy to execute for authenticated users but still limited in scope compared to higher‑privilege exploits.