CVE-2026-20165 affects multiple versions of Splunk Enterprise and Splunk Cloud Platform, specifically versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10 for Enterprise, and corresponding Cloud Platform versions. The vulnerability arises from improper access control in the MongoClient logging channel, which logs job search activities. Low-privileged users lacking admin or power roles can access these logs, which may contain sensitive information such as search queries, user data, or system details. This leakage can provide attackers with valuable insights into system operations or user behavior, potentially facilitating further attacks or data exfiltration. The vulnerability is remotely exploitable without user interaction, with a CVSS v3.1 score of 6.3, reflecting medium severity. The attack vector is network-based with low attack complexity and requires low privileges, impacting confidentiality, integrity, and availability. No public exploits are known, but the risk remains significant due to the nature of the data exposed and the widespread use of Splunk in enterprise environments.

The vulnerability can lead to unauthorized disclosure of sensitive information contained in Splunk job search logs, which may include user credentials, query parameters, or internal system details. This exposure can compromise confidentiality and potentially integrity if attackers use the information to craft further attacks or escalate privileges. Availability could also be impacted if attackers leverage the information to disrupt Splunk services or related infrastructure. Organizations relying on Splunk for security monitoring, log aggregation, or operational intelligence could face increased risk of data breaches, compliance violations, and operational disruptions. The medium severity rating indicates a significant but not critical threat, emphasizing the need for timely remediation to prevent exploitation.

Organizations should upgrade affected Splunk Enterprise and Cloud Platform instances to versions 10.2.1, 10.0.4, 9.4.9, or 9.3.10 or later, where the vulnerability is patched. Until upgrades are applied, restrict access to Splunk job search logs by enforcing strict role-based access controls, ensuring only trusted admin or power users can view sensitive logs. Review and audit user roles and permissions regularly to detect and remove unnecessary privileges. Implement network segmentation and firewall rules to limit access to Splunk management interfaces. Monitor Splunk logs for unusual access patterns or attempts to access restricted logs. Additionally, consider encrypting log data at rest and in transit to reduce exposure risk. Finally, maintain an incident response plan to quickly address any suspected exploitation.