Description
In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data.
Published: 2026-05-20
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a user with access to the `_internal` index in Splunk Enterprise or Splunk Cloud Platform to view session cookies and response bodies that contain sensitive data. Because these files are stored in log files, the flaw can result in the disclosure of confidential information and potentially enable session hijacking or impersonation. This issue is classified as CWE‑532, which describes improper handling of sensitive information in logs.

Affected Systems

Affected products include Splunk Enterprise versions earlier than 10.2.2 or 10.0.5, as well as Splunk Cloud Platform versions earlier than 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13. Only users with roles that grant read access to the `_internal` index are able to exploit the flaw.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity of information disclosure. While the EPSS score is not provided, the vulnerability is not listed in CISA KEV, suggesting no known public exploitation yet. The attack vector requires the attacker to possess a role with internal index access, which limits exploitation to authenticated users with sufficient privileges. Nevertheless, the potential to uncover session cookies and sensitive response bodies makes this a significant risk for organizations that tolerate broad internal log access.

Generated by OpenCVE AI on May 20, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to version 10.2.2 or later and Splunk Cloud Platform to the latest patch that addresses the issue.
  • Restrict read access to the `_internal` index to only privileged roles, removing unnecessary permissions from other user roles.
  • If an upgrade cannot yet be performed, review and adjust log filtering settings to suppress the recording of session cookies and sensitive response bodies, ensuring that logs do not contain this information.

Generated by OpenCVE AI on May 20, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 17:45:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data.
Title Sensitive Information Disclosure through Log Files in Splunk Enterprise
Weaknesses CWE-532
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-05-20T17:48:15.233Z

Reserved: 2025-10-08T11:59:15.400Z

Link: CVE-2026-20239

cve-icon Vulnrichment

Updated: 2026-05-20T17:48:10.014Z

cve-icon NVD

Status : Received

Published: 2026-05-20T18:16:26.520

Modified: 2026-05-20T18:16:26.520

Link: CVE-2026-20239

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T18:30:36Z

Weaknesses