CVE-2026-20164 is a vulnerability in Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, as well as corresponding versions of Splunk Cloud Platform, where a low-privileged user lacking admin or power roles can access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint. This endpoint improperly exposes sensitive information, specifically hashed or plaintext passwords stored in the passwords.conf configuration file. The root cause is insufficient access control on this REST API endpoint, allowing unauthorized users to retrieve credential data. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting network attack vector, low attack complexity, and low privileges required, with no user interaction needed. The impact is primarily on confidentiality, as attackers can obtain sensitive credentials that may be reused or cracked to escalate privileges or move laterally within an environment. Integrity and availability are not directly affected. No public exploits have been reported yet, but the exposure of credentials makes this a significant risk. The vulnerability affects a broad range of Splunk versions widely used in enterprise security monitoring and log management, making it a critical concern for organizations relying on Splunk for operational intelligence and security analytics.

The unauthorized disclosure of sensitive credentials due to this vulnerability can have severe consequences for organizations globally. Attackers gaining access to hashed or plaintext passwords can attempt credential reuse or offline cracking, potentially escalating privileges within the Splunk environment or other connected systems. This can lead to unauthorized access to critical monitoring data, manipulation of logs, or disruption of security operations. Compromise of Splunk credentials may also facilitate lateral movement within enterprise networks, increasing the risk of broader breaches. Since Splunk is widely deployed in sectors such as finance, healthcare, government, and critical infrastructure, the impact extends to highly sensitive and regulated environments. The vulnerability undermines the confidentiality of security monitoring tools, which are foundational to detecting and responding to cyber threats, thereby weakening overall organizational security posture.

Organizations should immediately upgrade affected Splunk Enterprise and Cloud Platform instances to versions 10.2.0 or later, or the corresponding patched Cloud Platform releases, as provided by Splunk. In environments where immediate patching is not feasible, administrators should restrict access to the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint through network segmentation, firewall rules, or Splunk role-based access controls to prevent low-privileged users from querying this endpoint. Review and tighten Splunk user roles and permissions to ensure that only trusted administrators have access to sensitive configuration data. Enable monitoring and alerting for unusual access patterns to this endpoint or attempts to retrieve configuration files. Additionally, consider rotating any exposed credentials and enforcing strong password policies to reduce the risk from potential credential compromise. Regularly audit Splunk configurations and logs to detect unauthorized access attempts. Finally, maintain up-to-date backups and incident response plans to quickly respond to potential exploitation.