CVE-2026-20144 affects Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, as well as Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120. The vulnerability arises from the logging of sensitive Security Assertion Markup Language (SAML) configuration data, specifically Attribute Query Requests (AQRs) and Authentication extensions, in plain text within the conf.log file. This occurs in Splunk Search Head Cluster (SHC) deployments where users with roles granting access to the Splunk _internal index can view these logs. The exposure of SAML configuration details can provide attackers with valuable information to facilitate further attacks, such as forging or manipulating authentication tokens or bypassing authentication mechanisms. The vulnerability requires authenticated access with elevated privileges (access to _internal index) but does not require user interaction. The CVSS 3.1 score of 6.8 reflects a medium severity, with high impact on confidentiality, integrity, and availability due to the sensitive nature of the leaked data and the potential for misuse. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the risk of sensitive information leakage through verbose logging in security-critical systems and underscores the importance of secure log management and access controls in Splunk deployments.

The primary impact of CVE-2026-20144 is the exposure of sensitive SAML configuration data, which can compromise the confidentiality of authentication mechanisms within affected Splunk environments. Attackers with access to the _internal index could leverage this information to craft sophisticated attacks such as token forgery, authentication bypass, or privilege escalation, potentially leading to unauthorized access to critical systems and data. The integrity of authentication processes may be undermined, and availability could be affected if attackers disrupt authentication services or escalate privileges to disable security controls. Organizations relying on Splunk for security monitoring and incident response may face increased risk of compromise, data breaches, and operational disruption. The requirement for authenticated access with elevated privileges limits the attack surface but does not eliminate risk, especially in environments with multiple administrators or insufficient access controls. The absence of known exploits reduces immediate risk but does not preclude future exploitation. Overall, the vulnerability poses a significant threat to organizations with Splunk SHC deployments, particularly those handling sensitive or regulated data.

To mitigate CVE-2026-20144, organizations should promptly upgrade affected Splunk Enterprise and Splunk Cloud Platform deployments to the fixed versions: 10.2.0 or later for Enterprise and 10.2.2510.0 or later for Cloud Platform, or the respective minimum fixed versions listed. Until upgrades are applied, restrict access to the Splunk _internal index strictly to trusted administrators with a demonstrated need, employing the principle of least privilege. Review and audit roles and permissions regularly to ensure no excessive access is granted. Implement monitoring and alerting for unusual access patterns to the _internal index or conf.log files. Consider encrypting log files at rest and in transit to reduce the risk of unauthorized access. Disable or limit verbose logging of sensitive configuration data where possible, and sanitize logs to avoid storing plaintext sensitive information. Conduct security awareness training for administrators about the risks of sensitive data exposure through logs. Finally, maintain an incident response plan that includes steps for potential compromise scenarios involving authentication mechanisms.