Splunk Patches Multiple Vulnerabilities that Enable DOS Attacks and Expose Sensitive Data

Splunk has released security updates addressing multiple vulnerabilities across Splunk Enterprise, Splunk Cloud Platform, and the Splunk AI Toolkit that could lead to denial-of-service (DoS) conditions and exposure of sensitive data.

The issues, disclosed on May 20, 2026, include three tracked vulnerabilities: CVE-2026-20238, CVE-2026-20239, and CVE-2026-20240.

Splunk AI Toolkit Access Flaw (CVE-2026-20238)

A medium-severity flaw (CVSS 6.5) affects Splunk AI Toolkit versions below 5.7.3. The issue stems from improper access control caused by misconfigured role inheritance.

Specifically, the toolkit modifies the default ‘user’ role using an authorize.conf file with a srchFilter entry.

Because Splunk combines inherited search filters using the OR operator, this configuration can override more restrictive filters applied to custom roles.

As a result, low-privileged users without ‘admin’ or ‘power’ roles may gain access to sensitive data that should be restricted.

Splunk has fixed this issue in version 5.7.3. As a temporary mitigation, organizations can disable the AI Toolkit or manually modify the authorization.conf file to remove or override the srchFilter setting.

However, this workaround may expose the ai_agent_run_history_index to broader access, requiring additional restrictions.

Sensitive Data Exposure via Logs (CVE-2026-20239)

A high-severity vulnerability (CVSS 7.5) impacts Splunk Enterprise and Splunk Cloud Platform.

The flaw is caused by improper output sanitization in the TcpChannel component, which logs the entire input/output buffer when socket errors occur.

Attackers with access to the _internal index can retrieve sensitive information such as session cookies and HTTP response bodies from log files. This significantly increases the risk of credential theft and session hijacking.

Affected versions include:

• Splunk Enterprise below 10.2.2 and 10.0.5.
• Splunk Cloud Platform versions before multiple patched releases across supported branches.

Splunk recommends upgrading to the latest patched versions and restricting access to the _internal index to administrative roles only.

Denial-of-Service in Splunk Archiver (CVE-2026-20240)

Another high-severity issue (CVSS 7.1) affects the Splunk Archiver app due to improper input validation in the coldToFrozen.sh script. This script is used for managing data lifecycle transitions.

A low-privileged user can exploit this flaw by supplying arbitrary file paths, allowing them to rename critical directories. This can render the Splunk instance inoperable, resulting in a denial-of-service condition.

The vulnerability affects multiple versions of Splunk Enterprise (before 10.2.2, 10.0.5, 9.4.11, and 9.3.12) and Splunk Cloud Platform deployments.

Organizations are advised to apply patches immediately or turn off the Splunk Archiver app if it is not required. However, turning off the app may interrupt automated data archiving workflows.

Splunk strongly urges users to:

• Upgrade all affected components to the latest secure versions.
• Restrict access to sensitive indexes such as _internal.
• Review role-based access controls and inherited permissions.
• Disable vulnerable apps if patches cannot be applied immediately.

These vulnerabilities highlight the risks associated with misconfigured access controls, insufficient input validation, and insecure logging practices.

Timely patching and proper configuration management remain critical to securing Splunk environments against exploitation.