{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20139", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.382Z", "datePublished": "2026-02-18T16:45:32.308Z", "dateUpdated": "2026-02-19T19:28:04.863Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "10.0", "status": "affected", "versionType": "custom", "lessThan": "10.0.2"}, {"version": "9.4", "status": "affected", "versionType": "custom", "lessThan": "9.4.8"}, {"version": "9.3", "status": "affected", "versionType": "custom", "lessThan": "9.3.9"}, {"version": "9.2", "status": "affected", "versionType": "custom", "lessThan": "9.2.12"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "10.2.2510", "status": "affected", "versionType": "custom", "lessThan": "10.2.2510.3"}, {"version": "10.1.2507", "status": "affected", "versionType": "custom", "lessThan": "10.1.2507.8"}, {"version": "10.0.2503", "status": "affected", "versionType": "custom", "lessThan": "10.0.2503.9"}, {"version": "9.3.2411", "status": "affected", "versionType": "custom", "lessThan": "9.3.2411.121"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client\u2011side denial\u2011of\u2011service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive."}], "value": "In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client\u2011side denial\u2011of\u2011service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0204"}], "title": "Client-Side Denial of Service (DoS) through ''/splunkd/__raw/services/authentication/users/username'' REST API endpoint in Splunk Enterprise", "datePublic": "2026-02-18T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.", "cweId": "CWE-400"}]}], "source": {"advisory": "SVD-2026-0204"}, "credits": [{"lang": "en", "value": "ST\u00d6K / Fredrik Alexandersson"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-02-18T16:45:32.308Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-400", "lang": "en", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T19:10:51.635917Z", "id": "CVE-2026-20139", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:28:04.863Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20139", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-19T19:10:51.635917Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T19:27:50.436Z"}}], "cna": {"title": "Client-Side Denial of Service (DoS) through ''/splunkd/__raw/services/authentication/users/username'' REST API endpoint in Splunk Enterprise", "source": {"advisory": "SVD-2026-0204"}, "credits": [{"lang": "en", "value": "ST\u00d6K / Fredrik Alexandersson"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "10.0", "lessThan": "10.0.2", "versionType": "custom"}, {"status": "affected", "version": "9.4", "lessThan": "9.4.8", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.9", "versionType": "custom"}, {"status": "affected", "version": "9.2", "lessThan": "9.2.12", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "10.2.2510", "lessThan": "10.2.2510.3", "versionType": "custom"}, {"status": "affected", "version": "10.1.2507", "lessThan": "10.1.2507.8", "versionType": "custom"}, {"status": "affected", "version": "10.0.2503", "lessThan": "10.0.2503.9", "versionType": "custom"}, {"status": "affected", "version": "9.3.2411", "lessThan": "9.3.2411.121", "versionType": "custom"}]}], "datePublic": "2026-02-18T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0204"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client\u2011side denial\u2011of\u2011service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client\u2011side denial\u2011of\u2011service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-400", "description": "The software does not properly control the allocation and maintenance of a limited resource thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources."}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-02-18T16:45:32.308Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20139", "state": "PUBLISHED", "dateUpdated": "2026-02-19T19:28:04.863Z", "dateReserved": "2025-10-08T11:59:15.382Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2026-02-18T16:45:32.308Z", "assignerShortName": "cisco"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "6A753402-54BC-4809-800C-A1B1CC1BF176", "versionEndExcluding": "9.2.12", "versionStartIncluding": "9.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "0D9ACC64-CE37-4DBF-9315-E2DA76A3EAD2", "versionEndExcluding": "9.3.9", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "657A9AFC-2335-4C32-8B81-901D1C742592", "versionEndExcluding": "9.4.8", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "4413D4BE-F225-4C28-B401-EB46D8F34160", "versionEndExcluding": "10.0.2", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "B3D8C2DB-F956-49E2-8140-8D8962071007", "versionEndExcluding": "9.3.2411.121", "versionStartIncluding": "9.3.2411", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "62714243-8A5F-4908-BD39-7B1026B8E7D7", "versionEndExcluding": "10.0.2503.9", "versionStartIncluding": "10.0.2503", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "43C712E7-B77B-49CC-8143-C5594F0089DD", "versionEndExcluding": "10.1.2507.8", "versionStartIncluding": "10.1.2507", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFACEF04-1811-4345-A640-EF3FC84E490B", "versionEndExcluding": "10.2.2510.3", "versionStartIncluding": "10.2.2510", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client\u2011side denial\u2011of\u2011service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a 10.2.0, 10.0.2, 9.4.8, 9.3.9 y 9.2.12, y en las versiones de Splunk Cloud Platform anteriores a 10.2.2510.3, 10.1.2507.8, 10.0.2503.9 y 9.3.2411.121, un usuario con pocos privilegios que no posea los roles de Splunk 'admin' o 'power' podr\u00eda crear una carga \u00fatil maliciosa en los par\u00e1metros `realname`, `tz` o `email` del endpoint de la API REST `/splunkd/__raw/services/authentication/users/username` cuando cambian una contrase\u00f1a. Esto podr\u00eda, potencialmente, provocar una denegaci\u00f3n de servicio (DoS) del lado del cliente. La carga \u00fatil maliciosa podr\u00eda ralentizar significativamente los tiempos de carga de la p\u00e1gina o hacer que Splunk Web no responda temporalmente."}], "id": "CVE-2026-20139", "lastModified": "2026-02-20T13:47:44.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@cisco.com", "type": "Secondary"}]}, "published": "2026-02-18T18:24:26.497", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2026-0204"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "psirt@cisco.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2.2510,10.2.2510.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.1.2507,10.1.2507.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0.2503,10.0.2503.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3.2411,9.3.2411.121)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Cloud Platform", "source": "cna", "vendor": "Splunk"}, "product": "splunk_cloud_platform", "vendor": "splunk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.4,9.4.8)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3,9.3.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.2,9.2.12)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Enterprise", "source": "cna", "vendor": "Splunk"}, "product": "splunk_enterprise", "vendor": "splunk"}], "analysis": {"en": {"generated_at": "2026-04-17T18:36:56.808085+00:00", "value": {"mitigation_remediation": ["Update Splunk Enterprise to a version where this vulnerability is fixed (>=10.2.0, 10.0.2, 9.4.8, 9.3.9, or 9.2.12).", "Upgrade Splunk Cloud Platform to a non\u2011affected release (>=10.2.2510.3, 10.1.2507.8, 10.0.2503.9, or 9.3.2411.121).", "Restrict the ability to change passwords to users with admin or power roles, and implement input validation or parameter sanitization for realname, tz, and email fields to prevent malicious payloads."], "summary": {"action": "Mitigate", "impact": "Client\u2011side Denial of Service"}, "threat_synthesis": {"affected_systems": "Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121 are affected.", "description_and_impact": "A low\u2011privileged user lacking the admin or power role can submit a crafted payload to the realname, tz, or email parameters of the /splunkd/__raw/services/authentication/users/username REST API endpoint when changing a password. The payload may significantly delay page load times or temporarily make Splunk Web unresponsive, representing a client\u2011side denial\u2011of\u2011service effect. This weakness is a classic instance of CWE\u2011400: Input Validation Failure.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, while the EPSS score of less than 1% suggests a very low exploitation probability at this time. The vulnerability has not been catalogued in the CISA KEV list. The attack vector is inferred to be a crafted HTTP request to the REST endpoint, performed by an unprivileged user who can submit the malicious parameters during a password change. Successful exploitation would yield a local client\u2011side denial\u2011of\u2011service but no compromise of confidentiality or integrity."}}}}, "created": "2026-02-19T10:11:35.592377+00:00", "updated": "2026-04-17T18:45:25.547408+00:00", "vendors": ["splunk", "splunk$PRODUCT$splunk_cloud_platform", "splunk$PRODUCT$splunk_enterprise"]}