CVE-2026-20166 is an information disclosure vulnerability affecting Splunk Enterprise versions prior to 10.2.1 and 10.0.4, as well as specific versions of Splunk Cloud Platform. The issue arises from improper access control in the Discover Splunk Observability Cloud app, which allows low-privileged users—those lacking admin or power roles—to retrieve the Observability Cloud API access token. This token is sensitive as it grants access to Splunk's Observability Cloud services, potentially enabling unauthorized data access or manipulation. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It does not impact earlier Splunk Enterprise versions (below 9.4.9 and 9.3.10) because the Discover app is not included in those releases. The CVSS v3.1 base score is 5.4 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and results in limited confidentiality and integrity impact without affecting availability. No public exploits have been reported to date. The vulnerability was reserved in October 2025 and published in March 2026. Due to the nature of the token exposure, attackers with access to a low-privileged Splunk account could leverage the token to access or manipulate observability data, potentially leading to further compromise or data leakage within an organization’s monitoring infrastructure.

The primary impact of this vulnerability is unauthorized disclosure of the Observability Cloud API access token to low-privileged users. This token can be used to access observability data and services, which may include sensitive operational metrics, logs, and traces. Unauthorized access could enable attackers to gather intelligence about the target environment, manipulate monitoring data, or disrupt incident response efforts. While the vulnerability does not directly allow system compromise or availability disruption, the exposure of sensitive tokens can facilitate lateral movement or privilege escalation in complex environments. Organizations relying heavily on Splunk for observability and security monitoring could face increased risk of data leakage and reduced trust in their monitoring systems. The impact is particularly significant in environments where Splunk is integrated with critical infrastructure or where observability data is used for security analytics and compliance reporting.

Organizations should upgrade affected Splunk Enterprise instances to version 10.2.1 or later and Splunk Cloud Platform to the fixed versions (10.2.2510.5, 10.1.2507.16, or 10.0.2503.12) as soon as possible. Until patches are applied, restrict access to the Discover Splunk Observability Cloud app to only trusted users with appropriate roles (admin or power roles). Review and tighten role-based access controls (RBAC) to ensure that low-privileged users cannot access sensitive applications or tokens. Monitor Splunk logs for unusual access patterns or token usage that could indicate exploitation attempts. Consider rotating the Observability Cloud API tokens after patching to invalidate any tokens potentially exposed. Additionally, implement network segmentation and least privilege principles to limit the exposure of Splunk management interfaces. Regularly audit Splunk configurations and installed apps to detect unauthorized changes or additions that could introduce similar risks.