Splunk Enterprise and Splunk Cloud Platform allow a user with the edit_user capability to create usernames that contain a null byte or a non‑UTF‑8 percent‑encoded byte. The input validation fails to normalize these values before storing them, resulting in usernames that are stored inconsistently. This inconsistency can prevent legitimate editing or deletion of the affected accounts, effectively disabling management of those user identities and compromising the normal operation of the authentication subsystem.

Affected systems include Splunk Enterprise versions prior to 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions prior to 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127. Only users with a role that contains the high‑privilege edit_user capability can exploit the flaw.

The CVSS score of 6.6 indicates a medium severity vulnerability. No EPSS score is available, so the likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. The flaw requires an attacker to possess a role with the edit_user privilege, which is typically held by internal administrators. Therefore the attack vector is likely internal or from a compromised privileged account. An attacker could create malformed accounts and then cause the system to be unable to delete or modify them, leading to account management chaos. No remote code execution or privilege escalation beyond the existing edit_user role is implied by the provided information.