CVE-2026-20203 - Vulnerability Details

- Improper Access Control in Data Model Acceleration in Splunk Enterprise

Description

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles, has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control.

Published: 2026-04-15

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Splunk Enterprise and Splunk Cloud Platform permits a user who has write permission on an application but does not hold the admin or power roles and lacks the accelerate_datamodel capability to enable or disable Data Model Acceleration. The vulnerability does not provide remote code execution or direct data exfiltration; it simply modifies a configuration setting that may change how the system pre‑computes and stores data for faster searches.

Affected Systems

Splunk Enterprise versions older than 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions older than 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127 are affected; all newer releases contain the fix.

Risk and Exploitability

The CVSS base score is 4.3, indicating low severity, and no EPSS data is available. The vulnerability is not listed in the KEV catalog. Exploitation requires an authenticated user who already has write access to an application but does not possess the admin or power roles. The attacker can toggle acceleration without granting higher privileges or causing code execution, so the impact is limited to altering search performance characteristics within that Splunk deployment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Splunk

Splunk Enterprise

affected

Version	Status	Constraints
`10.2`	affected	< 10.2.2
`10.0`	affected	< 10.0.5
`9.4`	affected	< 9.4.10
`9.3`	affected	< 9.3.11

Splunk

Splunk Cloud Platform

affected

Version	Status	Constraints
`10.4.2603`	affected	< Not Affected
`10.3.2512`	affected	< 10.3.2512.6
`10.2.2510`	affected	< 10.2.2510.10
`10.1.2507`	affected	< 10.1.2507.19
`10.0.2503`	affected	< 10.0.2503.13
`9.3.2411`	affected	< 9.3.2411.127

Configuration 1 [-]

OR	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*
	cpe:2.3:a:splunk:splunk:::::enterprise:::*

Configuration 2 [-]

OR	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::
	cpe:2.3:a:splunk:splunk_cloud_platform::::::::

No data.

Vendor Product Confidence Versions

Splunk

Splunk Cloud Platform

100%

Version	Status	Scheme	Platform
`[0,10.4.2603)`	affected	generic	—
`[10.3.2512,10.3.2512.6)`	affected	generic	—
`[10.2.2510,10.2.2510.10)`	affected	generic	—
`[10.1.2507,10.1.2507.19)`	affected	generic	—
`[10.0.2503,10.0.2503.13)`	affected	generic	—
`[9.3.2411,9.3.2411.127)`	affected	generic	—

Splunk

Splunk Enterprise

100%

Version	Status	Scheme	Platform
`[10.2,10.2.2)`	affected	generic	—
`[10.0,10.0.5)`	affected	generic	—
`[9.4,9.4.10)`	affected	generic	—
`[9.3,9.3.11)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the latest Splunk Enterprise or Splunk Cloud Platform release that contains the fix for this vulnerability.
Revoke write permissions on applications for users who do not have admin or power roles, ensuring only privileged users can modify application data.
Verify that the accelerate_datamodel capability is assigned only to roles that truly require it and remove it from roles that require only data model access but not acceleration control.

Generated by OpenCVE AI on April 16, 2026 at 09:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00036.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://advisory.splunk.com/advisories/SVD-2026-0402

History

Fri, 17 Apr 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Splunk splunk
CPEs		cpe:2.3:a:splunk:splunk:::::enterprise:::* cpe:2.3:a:splunk:splunk_cloud_platform::::::::
Vendors & Products		Splunk splunk

Thu, 16 Apr 2026 03:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Splunk Splunk splunk Cloud Platform Splunk splunk Enterprise
Vendors & Products		Splunk Splunk splunk Cloud Platform Splunk splunk Enterprise

Wed, 15 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 15 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles, has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control.
Title		Improper Access Control in Data Model Acceleration in Splunk Enterprise
Weaknesses		CWE-284
References		https://advisory.splunk.com/advisories/SVD-2026-0402
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Splunk Splunk Splunk Cloud Platform Splunk Enterprise

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-04-15T15:17:56.261Z

Updated: 2026-04-15T17:40:36.484Z

Reserved: 2025-10-08T11:59:15.397Z

Link: CVE-2026-20203

Vulnrichment

Updated: 2026-04-15T17:40:25.838Z

NVD

Status : Analyzed

Published: 2026-04-15T16:16:34.310

Modified: 2026-04-17T19:07:27.830

Link: CVE-2026-20203

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object