CVE-2026-20165 in Splunk
Summary
by MITRE • 03/11/2026
In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/24/2026
This vulnerability exists in Splunk Enterprise and Splunk Cloud Platform versions prior to the specified patched releases, representing a critical access control flaw that allows low-privileged users to extract sensitive information through malformed search log inspection. The vulnerability stems from improper access control mechanisms within the MongoClient logging channel, where users without administrative or power roles can potentially access job search logs containing confidential data. This issue falls under CWE-285, which addresses improper access control, and aligns with ATT&CK technique T1078.004 for valid accounts and T1566.002 for spearphishing via social media, as it enables unauthorized data access through legitimate user accounts. The flaw specifically affects the logging infrastructure where database operations are recorded, allowing unauthorized information disclosure through search job inspection.
The technical implementation of this vulnerability exploits the lack of proper authorization checks when users attempt to access job search logs through the MongoClient logging channel. When a low-privileged user executes a search operation or attempts to view search logs, the system fails to properly validate whether the requesting user has appropriate permissions to access the specific log information. This access control failure enables users to potentially retrieve search queries, results, and other sensitive operational data that should only be accessible to users with administrative or power roles. The vulnerability manifests when the system processes requests for job search logs without verifying the requesting user's role permissions against the specific data being accessed.
The operational impact of this vulnerability extends beyond simple information disclosure, as it can enable attackers to gain insights into organizational data access patterns, search queries, and potentially sensitive business intelligence. Low-privileged users who can exploit this vulnerability can access search logs containing detailed information about database queries, user activities, and system operations that may reveal internal processes, data structures, and security configurations. This information can be leveraged for further attacks including privilege escalation, social engineering, or targeted exploitation of other system weaknesses. The vulnerability also impacts compliance requirements as it may expose sensitive data that should remain protected under data governance policies and regulatory frameworks.
Organizations should immediately implement the available patches for Splunk Enterprise and Splunk Cloud Platform versions affected by this vulnerability, ensuring all systems are updated to the specified minimum versions. Network segmentation should be implemented to limit access to Splunk systems, particularly restricting direct access to logging infrastructure from untrusted networks. Access controls should be reviewed and strengthened to ensure proper role-based access control is enforced for all Splunk operations, including search log access. Security monitoring should be enhanced to detect unusual search log access patterns and unauthorized attempts to retrieve job information. Additionally, regular security assessments should be conducted to identify and remediate similar access control vulnerabilities in other system components, and user training should emphasize the importance of proper access control and the risks associated with unauthorized information disclosure.