Threat Advisory

Splunk Enterprise Authorization Overwrite Bypass Vulnerability

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Splunk Enterprise, Splunk Cloud Platform, and Splunk AI Toolkit. The affected products and versions include Splunk Enterprise (versions 10.2.2, 10.0.5, 9.4.11, and 9.3.12), and Splunk AI Toolkit (version 5.7.3 or higher). The vulnerabilities include improper validation flaws that trigger localized Denial of Service (DoS) conditions, sensitive memory exposures, and access control overrides. Business risk and impact are high, as these vulnerabilities can lead to data breaches, system crashes, and unauthorized access to sensitive information. If left unaddressed, these vulnerabilities can severely impact business operations and compromise sensitive data.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in Splunk Enterprise, Splunk Cloud Platform, and Splunk AI Toolkit. The affected products and versions include Splunk Enterprise (versions 10.2.2, 10.0.5, 9.4.11, and 9.3.12), and Splunk AI Toolkit (version 5.7.3 or higher). The vulnerabilities include improper validation flaws that trigger localized Denial of Service (DoS) conditions, sensitive memory exposures, and access control overrides. Business risk and impact are high, as these vulnerabilities can lead to data breaches, system crashes, and unauthorized access to sensitive information. If left unaddressed, these vulnerabilities can severely impact business operations and compromise sensitive data.[emaillocker id="1283"]

  • CVE-2026-20240 with a CVSS score of 9.8 – A low-privileged user can manipulate the coldToFrozen.sh script within the splunk_archiver application to rename critical Splunk system directories, causing a complete Denial of Service.
  • CVE-2026-20239 with a CVSS score of 8.8 – A logic vulnerability within the platform’s TcpChannel component exposes data directly from the network transmission plane, allowing users with basic access to internal telemetry to view active session cookies and cleartext HTTP response bodies.
  • CVE-2026-20238 with a CVSS score of 8.6 – The Splunk AI Toolkit application ships with a search filter that accidentally modifies the platform’s built-in user role, allowing low-privileged users to bypass explicit access controls and view confidential corporate datasets.

The identified vulnerabilities pose a significant risk to organizations that rely on Splunk Enterprise and AI Toolkit. If exploited, these vulnerabilities can lead to system crashes, data breaches, and unauthorized access to sensitive information. It is essential to address these vulnerabilities promptly to prevent potential business disruptions and data compromise.

RECOMMENDATION:

  • We recommend you to update Splunk Enterprise to version 10.2.2.

REFERENCES:

The following reports contain further technical details:
https://securityonline.info/splunk-enterprise-security-advisories-cve-2026-20240-log-leak/

[/emaillocker]
crossmenu