CVE-2026-20137 affects multiple versions of Splunk Enterprise and Splunk Cloud Platform prior to 10.2.0, 10.1.2507.0, and related versions. The vulnerability arises because low-privileged users, who do not have admin or power roles, can create Data Models containing injected SPL (Search Processing Language) queries within objects. By exploiting a path traversal vulnerability, these users can bypass the safeguards designed to prevent execution of risky SPL commands. This bypass allows unauthorized access to sensitive information that should be restricted. The attack vector is network-based, requiring the attacker to have low-level privileges and some user interaction to create or manipulate Data Models. The vulnerability does not affect the integrity or availability of the system but compromises confidentiality by exposing sensitive data. The CVSS v3.1 score is 3.5 (low), reflecting the limited scope and complexity of exploitation. No known exploits have been reported in the wild, but the vulnerability is publicly disclosed and should be addressed promptly. The root cause is insufficient validation and access control on Data Model creation and SPL command execution within those models, combined with a path traversal flaw that enables bypassing of SPL safeguards.

For European organizations, this vulnerability primarily threatens the confidentiality of sensitive data stored or processed within Splunk Enterprise and Splunk Cloud Platform. Since Splunk is widely used for security information and event management (SIEM), unauthorized access to sensitive logs or security data could lead to information leakage, aiding further attacks or compliance violations. Although the vulnerability requires authenticated low-privileged user access, insider threats or compromised user accounts could exploit it to escalate data access beyond intended permissions. The impact on integrity and availability is negligible, but confidentiality breaches could undermine trust in security monitoring and incident response capabilities. Organizations in sectors such as finance, critical infrastructure, government, and telecommunications, which rely heavily on Splunk for security analytics, are particularly at risk. Additionally, exposure of sensitive logs could violate GDPR and other data protection regulations, leading to legal and financial repercussions.

European organizations should immediately upgrade affected Splunk Enterprise and Splunk Cloud Platform instances to versions 10.2.0 or later (or the corresponding patched versions) as recommended by Splunk. Until patches are applied, organizations should restrict Data Model creation and modification permissions to trusted administrators only, preventing low-privileged users from exploiting the vulnerability. Implement strict role-based access control (RBAC) policies to limit the assignment of roles capable of creating or editing Data Models. Monitor Splunk audit logs for unusual Data Model creation or modification activities indicative of exploitation attempts. Employ network segmentation and multi-factor authentication (MFA) to reduce the risk of low-privileged account compromise. Regularly review and harden SPL command execution policies and validate inputs to Data Models to detect and block injection attempts. Finally, maintain up-to-date threat intelligence feeds and monitor for any emerging exploit activity related to this CVE.