What is CVE-2026-20165?

A medium-severity vulnerability in Splunk Enterprise and Splunk Cloud Platform allows low-privileged users to access sensitive information. Organizations should address this issue to prevent potential data exposure.

What is the severity of CVE-2026-20165?

CVE-2026-20165 has a severity rating of MEDIUM with a CVSS base score of 6.3.

CVE-2026-20165 | Medium Vulnerability in Splunk Splunk Cloud Platform

In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel.

The vulnerability has a CVSS score of 6.3, indicating a medium severity level. This vulnerability allows for potential exposure of sensitive data, which could impact organizations relying on Splunk for data analytics and monitoring. The risk to organizations includes unauthorized access to sensitive information.

As of now, there are no known exploits or public proof of concept available, suggesting that while the vulnerability is present, it has not been actively targeted. However, organizations should prioritize patching this vulnerability to mitigate any risks associated with it.

Organizations should address this issue to prevent potential data exposure. Urgency for defenders is high, and they should prioritize patching this vulnerability in their systems.

Vulnerability Details

The vulnerability allows a low-privileged user to access sensitive information due to improper access control in the MongoClient logging channel. The affected products include Splunk Enterprise and Splunk Cloud Platform, with specific versions outlined above.

The CWE classification for this vulnerability is CWE-532, indicating improper access control. Organizations should be aware of this classification when assessing their security posture.

Technical Analysis

The root cause of the vulnerability is improper access control, which allows low-privileged users to retrieve sensitive information. The attack vector for this vulnerability is network-based, with a low attack complexity and low privileges required to exploit it.

No user interaction is required for exploitation, and the impacts on confidentiality, integrity, and availability are classified as low. This indicates that while sensitive information can be accessed, it does not significantly impact the overall system integrity or availability.

Risk & Impact Analysis

The risk to organizations includes unauthorized access to sensitive information, which could lead to data exposure. Given the nature of the data handled by Splunk, this could have significant implications for organizations in various sectors.

Organizations should assess the potential blast radius of this vulnerability within their environment. The urgency for remediation is high, as the risk of data exposure poses a serious threat to data integrity and confidentiality.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The following versions of Splunk products are affected: Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, as well as Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124.

Mitigation & Remediation

Organizations should prioritize patching to the latest versions of the affected Splunk products to mitigate this vulnerability. For those unable to upgrade immediately, implementing strict access controls and monitoring user permissions is recommended.

For further guidance on security best practices, organizations can refer to our penetration testing services.

Detection Guidance

Monitoring logs for unauthorized access attempts and unusual user behavior can help detect potential exploitation of this vulnerability. Additionally, reviewing access control configurations regularly can mitigate risks.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of robust access control mechanisms in system design. As organizations increasingly rely on data analytics platforms like Splunk, understanding and managing access controls effectively is crucial.

Security teams should consider reviewing their access control policies and ensuring they align with best practices. For insights on security trends, our vulnerability management program can help identify areas for improvement.

Additionally, organizations should stay informed about emerging threats and vulnerabilities in their software stack. Regular security assessments are essential to maintain a strong security posture, and our penetration testing methodology provides a structured approach to identifying vulnerabilities.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-20165: Medium Vulnerability in Splunk Splunk Cloud Platform