CVE-2026-20139 is a resource exhaustion vulnerability affecting multiple versions of Splunk Enterprise and Splunk Cloud Platform prior to 10.2.0 and specific minor releases. The flaw exists because the software does not properly control allocation and maintenance of limited resources when processing certain user parameters—specifically `realname`, `tz`, and `email`—during password changes via the `/splunkd/__raw/services/authentication/users/username` REST API endpoint. A low-privileged user lacking admin or power roles can inject crafted payloads into these parameters. This malicious input can cause excessive consumption of client-side resources, leading to significant slowdowns or temporary unresponsiveness of the Splunk Web interface, effectively a denial-of-service condition on the client side. The vulnerability does not affect confidentiality or integrity but impacts availability. Exploitation requires network access and low privilege but no user interaction. The CVSS 3.1 base score is 4.3 (medium), reflecting the limited scope and impact. No public exploits are known, and the vulnerability was reserved in October 2025 and published in February 2026. The root cause is insufficient validation and control over resource usage during user attribute updates, allowing resource exhaustion attacks.

For European organizations relying on Splunk Enterprise or Splunk Cloud Platform for log management, security monitoring, or operational intelligence, this vulnerability could disrupt normal operations by degrading the responsiveness of the Splunk Web interface. Although it does not compromise data confidentiality or integrity, availability issues can delay incident response, log analysis, and other critical security functions. Organizations with many low-privileged users or those that expose Splunk Web interfaces to wider internal or external networks are at higher risk. Temporary denial-of-service conditions could impact security teams’ ability to monitor and react to threats promptly, increasing organizational risk. The impact is primarily operational and could affect compliance with regulatory requirements for continuous monitoring and incident management. However, since exploitation requires authenticated low-privileged access, the threat is somewhat mitigated by strong internal access controls and user management policies.

1. Upgrade affected Splunk Enterprise and Splunk Cloud Platform instances to versions 10.2.0 or later, or the corresponding patched minor releases as soon as they become available. 2. Restrict access to the password change REST API endpoint to only trusted users and monitor usage patterns for anomalies. 3. Implement strict input validation and sanitization on user attribute fields (`realname`, `tz`, `email`) to prevent injection of malicious payloads. 4. Enforce the principle of least privilege by limiting the number of users with password change capabilities and regularly reviewing role assignments. 5. Monitor Splunk Web performance metrics and logs for signs of resource exhaustion or unusual slowdowns that could indicate exploitation attempts. 6. Consider network segmentation and access controls to limit exposure of Splunk Web interfaces to only necessary internal networks. 7. Educate administrators and users about the risks of resource exhaustion attacks and encourage prompt reporting of interface performance issues. 8. Maintain up-to-date backups and incident response plans to quickly recover from potential denial-of-service conditions.