What is the severity of CVE-2026-20164?

CVE-2026-20164 has a severity rating of MEDIUM with a CVSS base score of 6.5.

CVE-2026-20164 | Medium Vulnerability in Splunk Enterprise and Splunk Cloud Platform

Q: What is CVE-2026-20164?

A medium-severity vulnerability in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users to access sensitive password information. Organizations should prioritize patching to mitigate risk.

In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the "admin" or "power" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint. This endpoint exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials.

The CVSS score for this vulnerability is 6.5, indicating a medium severity level. Organizations relying on affected versions of Splunk should consider the real-world implications of this flaw, particularly the potential unauthorized access to sensitive credentials. The urgency for defenders is high as this vulnerability poses a significant risk to the confidentiality of the stored passwords.

Currently, there are no known public exploits or proof-of-concept code available for this vulnerability, and it has not been included in the Known Exploited Vulnerabilities (KEV) catalog. However, the potential impact on organizations remains a critical concern.

Organizations should prioritize patching immediately to mitigate the risks associated with this vulnerability and safeguard sensitive information within their Splunk deployments.

Vulnerability Details

The vulnerability allows low-privileged users to access sensitive password information. The affected versions include Splunk Enterprise and Splunk Cloud Platform as detailed in the official advisory. The CWE classification for this vulnerability is CWE-200, which corresponds to information exposure.

Technical Analysis

The root cause of this vulnerability stems from improper access control associated with the REST API endpoint. Attackers may leverage this flaw by making unauthorized requests to access sensitive credentials without requiring elevated privileges. The attack vector is network-based, with low complexity since no user interaction is necessary. The confidentiality impact is high, while integrity and availability impacts are none.

Risk & Impact Analysis

Risk to organizations includes unauthorized disclosure of sensitive credentials, which can lead to further exploitation of the affected systems. The potential blast radius is significant as multiple versions of both Splunk Enterprise and Splunk Cloud Platform are affected. Organizations should address this vulnerability in their priority patch cycle to prevent potential unauthorized access and mitigate the risks associated with credential exposure.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions include: - Splunk Enterprise: All versions prior to 10.2.0, 10.0.3, 9.4.9, and 9.3.10. - Splunk Cloud Platform: All versions prior to 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123.

Mitigation & Remediation

Organizations should apply the latest patches provided by Splunk to remediate the identified vulnerability. Regular monitoring of the environments for unauthorized access and ensuring proper access controls are in place can further mitigate risks. For additional security measures, organizations can engage in penetration testing to validate the integrity of their security posture.

Detection Guidance

Organizations should monitor logs for any unauthorized access attempts to the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` endpoint. Behavioral anomalies and unexpected access patterns should be flagged and investigated promptly.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability highlights the importance of proper access control measures in protecting sensitive information. This incident serves as a reminder for organizations to regularly review their security policies and ensure adherence to best practices. Security teams should also consider the penetration testing methodology to identify and address potential weaknesses in their systems.

Organizations are encouraged to stay informed about vulnerabilities affecting their software and consider subscribing to services that provide timely updates. The evolving threat landscape necessitates proactive measures to safeguard sensitive data.

In conclusion, addressing vulnerabilities like CVE-2026-20164 is essential for maintaining the security and integrity of systems. Timely remediation and continuous monitoring can significantly reduce the risk of exploitation.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-20164: Medium Vulnerability in Splunk Enterprise and Splunk Cloud Platform