CVE-2026-20298 in Splunkinfo

Summary

by MITRE • 07/15/2026

In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could view stored credential hashes when they access the `/servicesNS/-/-/storage/passwords` REST endpoint through the `|rest` Search Processing Language (SPL) command.<br><br>The exposure happens because the `|rest` SPL command returns the `encr_password` field in the results of the `/servicesNS/-/-/storage/passwords` REST endpoint.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability exists in Splunk Enterprise and Cloud Platform versions prior to specific patch releases, creating a critical information disclosure risk for low-privileged users. The flaw stems from improper access control implementation within the Splunk platform's REST API handling mechanism, specifically when processing search commands that interact with sensitive system endpoints. A user without administrative or power roles can exploit this weakness by leveraging the |rest SPL command to query the /servicesNS/-/-/storage/passwords endpoint, thereby gaining unauthorized access to encrypted password hashes stored within the system.

The technical root cause of this vulnerability lies in the insufficient validation and sanitization of REST API responses when processed through the SPL framework. When a low-privileged user executes the |rest command against the storage/passwords endpoint, the system fails to properly filter or restrict sensitive fields in the returned data structure. The encr_password field containing credential hashes is included in the response regardless of the requesting user's permission level, violating fundamental principles of least privilege and access control enforcement. This behavior represents a clear violation of CWE-284 Access Control Issues, specifically manifesting as improper access control where system resources are accessible beyond their intended authorization boundaries.

The operational impact of this vulnerability is severe as it enables unauthorized users to obtain stored credential hashes without possessing elevated privileges typically required for such access. Attackers could potentially use these captured hashes for various malicious activities including password cracking attempts, credential reuse attacks against other systems, or as stepping stones for further compromise within the Splunk environment. The exposure affects not only the immediate confidentiality of stored passwords but also creates potential downstream risks including privilege escalation opportunities and lateral movement capabilities within the compromised infrastructure. This vulnerability directly aligns with ATT&CK technique T1566 Credential Access through unauthorized access to stored credentials.

Organizations should immediately implement mitigations including applying the relevant security patches for their Splunk versions as specified in the affected release notes, configuring proper access controls on REST endpoints through custom roles and capabilities, and implementing network-level restrictions to limit access to sensitive Splunk API endpoints. Additionally, administrators should review existing user permissions and ensure that only authorized personnel possess the necessary capabilities to execute SPL commands against system endpoints. Monitoring and alerting should be implemented to detect unusual access patterns to credential storage endpoints, and regular security assessments should verify proper implementation of access control mechanisms throughout the Splunk deployment.

Responsible

Cisco

Reservation

10/08/2025

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!