CVE-2026-20164 is a vulnerability affecting multiple versions of Splunk Enterprise (below 10.2.0, 10.0.3, 9.4.9, and 9.3.10) and Splunk Cloud Platform (below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123). The flaw arises from improper access control on the REST API endpoint `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords`, which exposes the contents of the passwords.conf configuration file. This file contains sensitive credentials in hashed or plaintext form. Low-privileged users who do not have the "admin" or "power" roles can exploit this endpoint to retrieve these credentials, leading to unauthorized disclosure of sensitive information. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 6.5, reflecting a network attack vector with low attack complexity, requiring privileges but no user interaction, and resulting in a high confidentiality impact without affecting integrity or availability. Although no known exploits have been reported in the wild, the exposure of credentials could facilitate further attacks such as privilege escalation or lateral movement within affected environments. The vulnerability affects a broad range of Splunk versions, indicating that many organizations using Splunk Enterprise or Cloud Platform might be vulnerable if not updated. The root cause is insufficient access control on a sensitive API endpoint, which should be restricted to authorized roles only. Mitigation involves upgrading to fixed versions or implementing strict role-based access controls and monitoring access to sensitive endpoints.

The primary impact of CVE-2026-20164 is the unauthorized disclosure of sensitive credentials stored within Splunk's passwords.conf file. This can lead to significant confidentiality breaches, as attackers with low privileges can obtain hashed or plaintext passwords. Such credentials could be leveraged to escalate privileges, gain administrative access, or move laterally within an organization's network, potentially compromising other systems and data. Although the vulnerability does not directly affect system integrity or availability, the indirect consequences of credential theft can be severe, including data breaches, operational disruptions, and compliance violations. Organizations relying heavily on Splunk for security monitoring and log management may face increased risk if attackers exploit this flaw to undermine their security posture. The ease of exploitation (network accessible, low privileges required, no user interaction) increases the threat level, especially in environments with multiple users or less stringent role assignments. The absence of known exploits in the wild suggests limited immediate risk but does not preclude future exploitation attempts. Overall, the vulnerability poses a medium risk but with potential for significant downstream impact if exploited.

1. Upgrade affected Splunk Enterprise and Splunk Cloud Platform instances to the patched versions: 10.2.0 or later for Enterprise, and corresponding fixed Cloud Platform versions (10.2.2510.5 or later). 2. Immediately review and tighten role-based access controls to ensure that only users with 'admin' or 'power' roles can access sensitive REST API endpoints, especially `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords`. 3. Implement network segmentation and firewall rules to restrict access to Splunk management interfaces and APIs to trusted administrators only. 4. Monitor logs and audit access to the sensitive API endpoints for unusual or unauthorized access attempts. 5. Rotate any credentials stored in passwords.conf that may have been exposed or are suspected to be compromised. 6. Employ multi-factor authentication (MFA) for all privileged Splunk accounts to reduce risk from credential theft. 7. Conduct regular security assessments and penetration tests focusing on Splunk deployments to detect similar misconfigurations or vulnerabilities. 8. Educate Splunk administrators on the importance of least privilege principles and secure configuration management to prevent future access control issues.