CVE-2026-20141: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. in Splunk Splunk Enterprise
In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does not hold the "admin" Splunk role could access the Splunk Monitoring Console App endpoints due to an improper access control. This could lead to a sensitive information disclosure.<br><br>The Monitoring Console app is a bundled app that comes with Splunk Enterprise. It is not available for download on SplunkBase, and is not installed on Splunk Cloud Platform instances. This vulnerability does not affect [Cloud Monitoring Console](https://help.splunk.com/en/splunk-cloud-platform/administer/admin-manual/10.2.2510/monitor-your-splunk-cloud-platform-deployment/introduction-to-the-cloud-monitoring-console).
AI Analysis
Technical Summary
CVE-2026-20141 is an access control vulnerability affecting Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9. The flaw resides in the Monitoring Console App, a bundled application used for monitoring Splunk deployments. Due to improper access control, users with low privileges who do not have the 'admin' role can access Monitoring Console endpoints that should be restricted. This unauthorized access can lead to the disclosure of sensitive operational and monitoring data, potentially exposing system metrics, configuration details, or other sensitive information that could aid attackers in further reconnaissance or exploitation. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing its risk profile. However, it requires the attacker to have at least low-level authenticated access to the Splunk Enterprise instance. The vulnerability does not impact Splunk Cloud Platform instances or the Cloud Monitoring Console, limiting its scope to on-premises or self-managed Splunk Enterprise deployments. No public exploits have been observed, but the presence of sensitive information exposure makes this a concern for organizations relying on Splunk for security monitoring and operational intelligence.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive monitoring and operational data within Splunk Enterprise environments. Such data could include system health metrics, user activity logs, or configuration information that attackers might leverage to escalate privileges or conduct targeted attacks. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, could face compliance risks if sensitive information is exposed. Additionally, exposure of monitoring data could undermine trust in security operations and incident response capabilities. Since Splunk is widely used across Europe for security information and event management (SIEM), the vulnerability could affect a broad range of enterprises, government agencies, and service providers. The lack of impact on Splunk Cloud reduces risk for organizations using cloud deployments but highlights the importance of patching on-premises systems promptly.
Mitigation Recommendations
European organizations should immediately assess their Splunk Enterprise deployments to identify affected versions. The primary mitigation is to upgrade Splunk Enterprise to versions 10.0.2, 10.0.3, 9.4.8, or 9.3.9 or later, where the vulnerability is patched. Until patching is possible, organizations should restrict network access to Splunk Enterprise instances, especially limiting access to trusted administrators and monitoring personnel. Implement strict role-based access controls to minimize the number of users with any privileges on Splunk systems. Review and harden Monitoring Console app permissions and audit access logs for any suspicious activity. Additionally, consider network segmentation to isolate Splunk servers from general user networks. Regularly monitor Splunk logs for unusual access patterns to the Monitoring Console endpoints. Finally, maintain an incident response plan that includes steps for potential data exposure scenarios related to this vulnerability.
Affected Countries
Germany, United Kingdom, France, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
CVE-2026-20141: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. in Splunk Splunk Enterprise
Description
In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does not hold the "admin" Splunk role could access the Splunk Monitoring Console App endpoints due to an improper access control. This could lead to a sensitive information disclosure.<br><br>The Monitoring Console app is a bundled app that comes with Splunk Enterprise. It is not available for download on SplunkBase, and is not installed on Splunk Cloud Platform instances. This vulnerability does not affect [Cloud Monitoring Console](https://help.splunk.com/en/splunk-cloud-platform/administer/admin-manual/10.2.2510/monitor-your-splunk-cloud-platform-deployment/introduction-to-the-cloud-monitoring-console).
AI-Powered Analysis
Technical Analysis
CVE-2026-20141 is an access control vulnerability affecting Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9. The flaw resides in the Monitoring Console App, a bundled application used for monitoring Splunk deployments. Due to improper access control, users with low privileges who do not have the 'admin' role can access Monitoring Console endpoints that should be restricted. This unauthorized access can lead to the disclosure of sensitive operational and monitoring data, potentially exposing system metrics, configuration details, or other sensitive information that could aid attackers in further reconnaissance or exploitation. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing its risk profile. However, it requires the attacker to have at least low-level authenticated access to the Splunk Enterprise instance. The vulnerability does not impact Splunk Cloud Platform instances or the Cloud Monitoring Console, limiting its scope to on-premises or self-managed Splunk Enterprise deployments. No public exploits have been observed, but the presence of sensitive information exposure makes this a concern for organizations relying on Splunk for security monitoring and operational intelligence.
Potential Impact
For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive monitoring and operational data within Splunk Enterprise environments. Such data could include system health metrics, user activity logs, or configuration information that attackers might leverage to escalate privileges or conduct targeted attacks. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, could face compliance risks if sensitive information is exposed. Additionally, exposure of monitoring data could undermine trust in security operations and incident response capabilities. Since Splunk is widely used across Europe for security information and event management (SIEM), the vulnerability could affect a broad range of enterprises, government agencies, and service providers. The lack of impact on Splunk Cloud reduces risk for organizations using cloud deployments but highlights the importance of patching on-premises systems promptly.
Mitigation Recommendations
European organizations should immediately assess their Splunk Enterprise deployments to identify affected versions. The primary mitigation is to upgrade Splunk Enterprise to versions 10.0.2, 10.0.3, 9.4.8, or 9.3.9 or later, where the vulnerability is patched. Until patching is possible, organizations should restrict network access to Splunk Enterprise instances, especially limiting access to trusted administrators and monitoring personnel. Implement strict role-based access controls to minimize the number of users with any privileges on Splunk systems. Review and harden Monitoring Console app permissions and audit access logs for any suspicious activity. Additionally, consider network segmentation to isolate Splunk servers from general user networks. Regularly monitor Splunk logs for unusual access patterns to the Monitoring Console endpoints. Finally, maintain an incident response plan that includes steps for potential data exposure scenarios related to this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cisco
- Date Reserved
- 2025-10-08T11:59:15.382Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6996fb498fb9188dea8c09bc
Added to database: 2/19/2026, 12:00:09 PM
Last enriched: 2/19/2026, 12:07:47 PM
Last updated: 2/21/2026, 12:19:41 AM
Views: 30
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-27203: CWE-15: External Control of System or Configuration Setting in YosefHayim ebay-mcp
HighCVE-2026-27168: CWE-122: Heap-based Buffer Overflow in HappySeaFox sail
HighCVE-2026-27134: CWE-287: Improper Authentication in strimzi strimzi-kafka-operator
HighCVE-2026-27190: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in denoland deno
HighCVE-2026-27026: CWE-770: Allocation of Resources Without Limits or Throttling in py-pdf pypdf
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.