CVE-2026-20144 affects Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, as well as corresponding Splunk Cloud Platform versions. The vulnerability arises because certain sensitive information related to Security Assertion Markup Language (SAML) configurations—specifically Attribute Query Requests (AQRs) and Authentication extensions—is logged in plaintext within the conf.log file. This logging occurs in Search Head Cluster (SHC) deployments when these features are configured. Users with roles that grant access to the Splunk _internal index can read these logs and thereby gain access to sensitive authentication configuration details that should remain confidential. Such exposure can provide attackers with valuable intelligence to facilitate further attacks on authentication systems, potentially compromising confidentiality, integrity, and availability of systems relying on SAML. The vulnerability requires authenticated access with elevated privileges (roles with _internal index access), no user interaction is needed, and the attack surface is limited to SHC deployments with affected versions. The CVSS 3.1 vector (AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) reflects that the attack requires network access with high privileges but is otherwise straightforward to exploit. No public exploits are known at this time, but the sensitive nature of the leaked data warrants prompt remediation.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of authentication mechanisms, especially those relying on SAML for single sign-on (SSO) and federated identity management. Exposure of SAML configuration details can enable attackers to craft sophisticated attacks such as token forgery, replay attacks, or bypassing authentication controls. This can lead to unauthorized access to critical systems and data breaches. The availability of services could also be impacted if attackers leverage this information to disrupt authentication services. Organizations in sectors with stringent compliance requirements (e.g., finance, healthcare, government) face increased regulatory and reputational risks. Since Splunk is widely used for security monitoring and log management, compromise of its authentication configurations could undermine the security posture of the entire IT environment. The requirement for elevated privileges limits the scope but insider threats or compromised accounts could exploit this vulnerability.

European organizations should immediately verify if their Splunk Enterprise or Cloud Platform deployments are running affected versions and prioritize upgrading to the fixed versions (10.2.0 or later for Enterprise, corresponding Cloud Platform versions). Until patches are applied, restrict access to the Splunk _internal index to only the most trusted administrators and monitor access logs for unusual activity. Implement strict role-based access controls (RBAC) to minimize the number of users with elevated privileges. Review and harden SAML configurations to ensure minimal exposure of sensitive data. Consider encrypting log files at rest and in transit to reduce risk of unauthorized reading. Conduct regular audits of Splunk configurations and logs to detect any unauthorized access or data leakage. Additionally, implement multi-factor authentication (MFA) for all users with elevated privileges to reduce risk of account compromise. Finally, maintain up-to-date incident response plans to quickly address any exploitation attempts.