What is CVE-2026-20166?

A medium-severity vulnerability in Splunk could allow low-privileged users to access sensitive API tokens due to improper access control. Organizations should address this issue promptly by applying the relevant patches.

What is the severity of CVE-2026-20166?

CVE-2026-20166 has a severity rating of MEDIUM with a CVSS base score of 5.4.

CVE-2026-20166 | Medium Vulnerability in Splunk Splunk Cloud Platform

The vulnerability identified as CVE-2026-20166 affects multiple versions of Splunk, including Splunk Enterprise and Splunk Cloud Platform. This vulnerability allows a low-privileged user, lacking the "admin" or "power" roles, to retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app. This is a significant concern as it stems from improper access control measures.

The severity of this vulnerability is classified as medium, with a CVSS score of 5.4. Organizations utilizing affected versions should be aware of the potential for unauthorized access to sensitive API tokens, which could lead to further exploitation or data leakage.

Risk to organizations includes the possibility of unauthorized access to critical resources, which may result in compromised application integrity and confidentiality. The vulnerability primarily impacts versions of Splunk Enterprise prior to 10.2.1 and 10.0.4, as well as specific versions of Splunk Cloud Platform.

Organizations should prioritize patching immediately. The affected Splunk products should be updated to their latest versions to mitigate this vulnerability and ensure robust access controls are in place.

Vulnerability Details

In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control. This vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise.

The CVSS score of 5.4 indicates a medium severity level, with an attack vector classified as NETWORK. The attack complexity is rated as low, requiring low privileges and no user interaction.

Technical Analysis

The root cause of this vulnerability lies in the improper access control implemented within the Discover Splunk Observability Cloud app. This flaw allows low-privileged users to access sensitive resources that should be restricted. The attack vector involves network access, and the complexity is low, allowing for easy exploitation without requiring any specific user actions.

Privileged access is not necessary to exploit this vulnerability, making it particularly concerning. The impacts on confidentiality and integrity are rated as low, indicating that while the immediate damage may be limited, the potential for further exploitation exists.

Risk & Impact Analysis

Organizations deploying Splunk products should be aware of the risks associated with CVE-2026-20166. The vulnerability allows unauthorized users to access sensitive API tokens, which can lead to unauthorized data access and potential breaches. The blast radius of this vulnerability is significant, as it affects multiple product versions and configurations.

The urgency for addressing this vulnerability is medium, as organizations should include it in their priority patch cycle. Given the potential for exploitation, timely remediation is necessary to mitigate risks.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

The following products are affected by this vulnerability:

Splunk Enterprise versions below 10.2.1 and 10.0.4, as well as Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12. If version information is missing, organizations should assume all versions prior to vendor patch.

Mitigation & Remediation

To mitigate this vulnerability, organizations should apply the latest patches provided by Splunk for affected versions. The recommended version to upgrade to is the latest release that addresses this vulnerability.

For additional guidance, organizations may consider engaging in penetration testing to assess their security posture.

Detection Guidance

Organizations should monitor logs for any indicators of unauthorized access attempts and unusual behavior patterns. Specifically, keep an eye on access logs for the Discover Splunk Observability Cloud app.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability highlights the importance of strong access controls in applications. Security teams must ensure that low-privileged users cannot access sensitive resources.

Organizations should review their security policies and consider implementing regular audits and assessments to identify potential vulnerabilities.

For best practices in securing your applications, consider reading our penetration testing methodology and guidelines.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-20166: Medium Vulnerability in Splunk Splunk Cloud Platform