CVE-2026-20238: The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. in Splunk Splunk AI Toolkit
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles.
AI Analysis
Technical Summary
The vulnerability arises from incorrect authorization checks in Splunk AI Toolkit versions prior to 5.7.3. Specifically, the `authorize.conf` file contains a `srchFilter` entry that modifies the built-in 'user' role. Because the Splunk platform combines inherited search filters using the OR SPL operator, the injected filter can override more restrictive filters applied to child roles. This flaw enables low-privileged users lacking 'admin' or 'power' roles to access confidential data that should be restricted by custom role configurations.
Potential Impact
An attacker with low privileges can bypass intended access controls and gain unauthorized access to confidential data restricted by `srchFilter` configurations. The vulnerability impacts confidentiality but does not affect integrity or availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
No official patch or remediation level is currently confirmed. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should monitor Splunk's official channels for updates and consider restricting low-privileged user access until a fix is available.
CVE-2026-20238: The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. in Splunk Splunk AI Toolkit
Description
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from incorrect authorization checks in Splunk AI Toolkit versions prior to 5.7.3. Specifically, the `authorize.conf` file contains a `srchFilter` entry that modifies the built-in 'user' role. Because the Splunk platform combines inherited search filters using the OR SPL operator, the injected filter can override more restrictive filters applied to child roles. This flaw enables low-privileged users lacking 'admin' or 'power' roles to access confidential data that should be restricted by custom role configurations.
Potential Impact
An attacker with low privileges can bypass intended access controls and gain unauthorized access to confidential data restricted by `srchFilter` configurations. The vulnerability impacts confidentiality but does not affect integrity or availability. There are no known exploits in the wild at this time.
Mitigation Recommendations
No official patch or remediation level is currently confirmed. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Users should monitor Splunk's official channels for updates and consider restricting low-privileged user access until a fix is available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- cisco
- Date Reserved
- 2025-10-08T11:59:15.400Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0df486ba1db4736293a1c0
Added to database: 5/20/2026, 5:51:02 PM
Last enriched: 5/20/2026, 5:51:14 PM
Last updated: 5/20/2026, 8:16:17 PM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.