Description
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles.
Published: 2026-05-20
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Splunk AI Toolkit app, in versions below 5.7.3, contains a configuration that modifies the built‑in ‘user’ role using a ‘srchFilter’ entry. Because the Splunk platform concatenates inherited search filters with the OR operator in SPL, the injected filter can override more restrictive child‑role filters, allowing a low‑privileged user to view data intended for higher‑privileged roles. This flaw is an instance of improper access control, classified as CWE‑863, and results in potential confidentiality exposure.

Affected Systems

Splunk AI Toolkit for Splunk, versions older than 5.7.3. The issue affects any Splunk deployment that has the app installed with custom roles configured via srchFilter.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, and no EPSS score is reported. The vulnerability is not listed in the CISA KEV catalog. Attackers would need a low‑privileged account within the Splunk environment; the vulnerability is exploitable by interacting with the app from inside the platform, as the flaw relies on configuration inheritance and does not require external network access. An attacker with such an account can effectively bypass restrictions and access confidential data.

Generated by OpenCVE AI on May 20, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Splunk AI Toolkit app to version 5.7.3 or later to remove the vulnerable srchFilter configuration.
  • Review and revise any existing srchFilter entries so that they do not override more restrictive child‑role filters; remove or modify entries that use the OR operator to prevent unintended privilege escalation.
  • Audit custom roles and role inheritance hierarchies to ensure no low‑privileged users can gain elevated access through inherited filters; adjust role assignments accordingly.

Generated by OpenCVE AI on May 20, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles.
Title Improper Access Control through Role Inheritance in Splunk AI Toolkit app
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-05-20T17:48:46.704Z

Reserved: 2025-10-08T11:59:15.400Z

Link: CVE-2026-20238

cve-icon Vulnrichment

Updated: 2026-05-20T17:48:42.981Z

cve-icon NVD

Status : Received

Published: 2026-05-20T18:16:26.393

Modified: 2026-05-20T18:16:26.393

Link: CVE-2026-20238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T19:00:07Z

Weaknesses