CVE-2026-20202: The software does not properly handle when an input contains Unicode encoding. in Splunk Splunk Enterprise
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
AI Analysis
Technical Summary
This vulnerability arises from improper input validation in Splunk Enterprise and certain Splunk Cloud Platform versions, allowing users with 'edit_user' privileges to create usernames containing null bytes or non-UTF-8 percent-encoded bytes. This causes inconsistent conversion of usernames, leading to account management issues such as inability to edit or delete these user accounts. The issue affects multiple versions of Splunk Enterprise below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and corresponding versions of Splunk Cloud Platform. The CVSS 3.1 base score is 6.6 with network attack vector, high privileges required, and high impact on confidentiality, integrity, and availability. The vendor has not provided explicit patch or remediation details in the available data.
Potential Impact
The vulnerability can cause account management inconsistencies by preventing modification or deletion of user accounts with specially crafted usernames. This could disrupt administrative operations and potentially affect system integrity and availability due to inability to manage user accounts properly. The CVSS score reflects a medium severity impact on confidentiality, integrity, and availability. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict the 'edit_user' capability to trusted administrators only to minimize risk. Monitor for any updates from Splunk regarding patches or workarounds addressing this input validation issue.
CVE-2026-20202: The software does not properly handle when an input contains Unicode encoding. in Splunk Splunk Enterprise
Description
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from improper input validation in Splunk Enterprise and certain Splunk Cloud Platform versions, allowing users with 'edit_user' privileges to create usernames containing null bytes or non-UTF-8 percent-encoded bytes. This causes inconsistent conversion of usernames, leading to account management issues such as inability to edit or delete these user accounts. The issue affects multiple versions of Splunk Enterprise below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and corresponding versions of Splunk Cloud Platform. The CVSS 3.1 base score is 6.6 with network attack vector, high privileges required, and high impact on confidentiality, integrity, and availability. The vendor has not provided explicit patch or remediation details in the available data.
Potential Impact
The vulnerability can cause account management inconsistencies by preventing modification or deletion of user accounts with specially crafted usernames. This could disrupt administrative operations and potentially affect system integrity and availability due to inability to manage user accounts properly. The CVSS score reflects a medium severity impact on confidentiality, integrity, and availability. There are no reports of active exploitation in the wild.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict the 'edit_user' capability to trusted administrators only to minimize risk. Monitor for any updates from Splunk regarding patches or workarounds addressing this input validation issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cisco
- Date Reserved
- 2025-10-08T11:59:15.397Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dfaf6882d89c981f612b6f
Added to database: 4/15/2026, 3:31:52 PM
Last enriched: 4/15/2026, 3:47:37 PM
Last updated: 4/15/2026, 7:04:28 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.