CVE-2026-20166 is an access control vulnerability found in Splunk Enterprise versions prior to 10.2.1 and 10.0.4, and in specific versions of the Splunk Cloud Platform. The flaw arises from the Discover Splunk Observability Cloud app improperly restricting access to the Observability Cloud API access token. Normally, only users with elevated roles such as 'admin' or 'power' should retrieve this token, which grants access to sensitive observability data and potentially other system functions. However, due to insufficient access control checks, low-privileged users can obtain this token, thereby exposing sensitive information. The vulnerability does not impact versions of Splunk Enterprise before 9.4.9 and 9.3.10 because the Discover app was not included in those releases. The CVSS v3.1 base score is 5.4, reflecting a medium severity with network attack vector, low attack complexity, and low privileges required, but no user interaction needed. The impact includes confidentiality and integrity risks, as unauthorized users could leverage the token to access or manipulate observability data. There are no known exploits in the wild at this time, but the vulnerability’s presence in widely deployed Splunk versions makes it a concern for organizations relying on Splunk for monitoring and analytics.

The primary impact of CVE-2026-20166 is the unauthorized disclosure of the Observability Cloud API access token to low-privileged users. This token can provide access to sensitive monitoring data, potentially revealing operational insights, system performance metrics, or security-related telemetry. Attackers with this token could also attempt to manipulate observability data or escalate privileges within the Splunk environment. For organizations, this could lead to compromised confidentiality of internal monitoring data, reduced trust in system integrity, and increased risk of further exploitation. Since Splunk is widely used for security information and event management (SIEM), unauthorized access to its observability data could aid attackers in evading detection or conducting reconnaissance. The vulnerability affects both on-premises and cloud deployments, broadening the scope of potential impact. Although no active exploitation is reported, the ease of exploitation (low privileges required, no user interaction) means that attackers with network access could leverage this flaw to gain unauthorized insights or footholds.

Organizations should immediately upgrade affected Splunk Enterprise versions to 10.2.1 or later and Splunk Cloud Platform versions to those that include the fix (10.2.2510.5, 10.1.2507.16, or 10.0.2503.12). Until patches are applied, administrators should restrict network access to Splunk management interfaces to trusted personnel only, minimizing exposure to low-privileged users. Review and tighten role-based access controls (RBAC) to ensure that only authorized users have access to the Discover Splunk Observability Cloud app. Monitor logs for unusual access patterns to the Observability Cloud API tokens or the Discover app. Consider implementing additional network segmentation or multi-factor authentication for Splunk access to reduce risk. Regularly audit Splunk configurations and installed apps to detect unauthorized changes or additions. Finally, maintain an incident response plan to quickly address any signs of compromise related to this vulnerability.