{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20164", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.389Z", "datePublished": "2026-03-11T16:18:01.915Z", "dateUpdated": "2026-03-12T16:19:36.648Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "10.0", "status": "affected", "versionType": "custom", "lessThan": "10.0.3"}, {"version": "9.4", "status": "affected", "versionType": "custom", "lessThan": "9.4.9"}, {"version": "9.3", "status": "affected", "versionType": "custom", "lessThan": "9.3.10"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "10.2.2510", "status": "affected", "versionType": "custom", "lessThan": "10.2.2510.5"}, {"version": "10.1.2507", "status": "affected", "versionType": "custom", "lessThan": "10.1.2507.16"}, {"version": "10.0.2503", "status": "affected", "versionType": "custom", "lessThan": "10.0.2503.11"}, {"version": "9.3.2411", "status": "affected", "versionType": "custom", "lessThan": "9.3.2411.123"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials."}], "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0303"}], "title": "Sensitive Information Disclosure through Improper Access Control in Splunk Enterprise", "datePublic": "2026-03-11T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.", "cweId": "CWE-200"}]}], "source": {"advisory": "SVD-2026-0303"}, "credits": [{"lang": "en", "value": "Alex Hordijk (hordalex)"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-03-11T16:18:01.915Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T15:40:30.867807Z", "id": "CVE-2026-20164", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T16:19:36.648Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20164", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T15:40:30.867807Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:40:42.504Z"}}], "cna": {"title": "Sensitive Information Disclosure through Improper Access Control in Splunk Enterprise", "source": {"advisory": "SVD-2026-0303"}, "credits": [{"lang": "en", "value": "Alex Hordijk (hordalex)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "10.0", "lessThan": "10.0.3", "versionType": "custom"}, {"status": "affected", "version": "9.4", "lessThan": "9.4.9", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.10", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "10.2.2510", "lessThan": "10.2.2510.5", "versionType": "custom"}, {"status": "affected", "version": "10.1.2507", "lessThan": "10.1.2507.16", "versionType": "custom"}, {"status": "affected", "version": "10.0.2503", "lessThan": "10.0.2503.11", "versionType": "custom"}, {"status": "affected", "version": "9.3.2411", "lessThan": "9.3.2411.123", "versionType": "custom"}]}], "datePublic": "2026-03-11T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0303"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-200", "description": "The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information."}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-03-11T16:18:01.915Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20164", "state": "PUBLISHED", "dateUpdated": "2026-03-12T16:19:36.648Z", "dateReserved": "2025-10-08T11:59:15.389Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2026-03-11T16:18:01.915Z", "assignerShortName": "cisco"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "BFBDF80A-51CC-470E-977C-96ABBF89162D", "versionEndExcluding": "9.3.10", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "ACAC2D08-9ED6-4E58-A999-0EE2025C69FC", "versionEndExcluding": "9.4.9", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CB313879-7BD8-411A-B503-01689F0B326E", "versionEndExcluding": "10.0.3", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "3AF43951-3CF1-4FC8-AAAF-498949E87019", "versionEndExcluding": "9.3.2411.123", "versionStartIncluding": "9.3.2411", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7A6863D-1330-4F11-B001-E577AFA9F0AE", "versionEndExcluding": "10.0.2503.11", "versionStartIncluding": "10.0.2503", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "17E11C59-CC22-48AA-A969-717D4D527019", "versionEndExcluding": "10.1.2507.16", "versionStartIncluding": "10.1.2507", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "6609708F-A13F-4E4E-9883-C11659BD6C3C", "versionEndExcluding": "10.2.2510.5", "versionStartIncluding": "10.2.2510", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a la 10.2.0, 10.0.3, 9.4.9 y 9.3.10, y en las versiones de Splunk Cloud Platform anteriores a la 10.2.2510.5, 10.1.2507.16, 10.0.2503.11 y 9.3.2411.123, un usuario con privilegios bajos que no posee los roles de Splunk 'admin' o 'power' podr\u00eda acceder al endpoint de la API REST `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords`, que expone los valores de contrase\u00f1a con hash o en texto plano que se almacenan en el archivo de configuraci\u00f3n passwords.conf debido a un control de acceso inadecuado. Esta vulnerabilidad podr\u00eda permitir la divulgaci\u00f3n no autorizada de credenciales sensibles."}], "id": "CVE-2026-20164", "lastModified": "2026-03-24T17:13:12.757", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "psirt@cisco.com", "type": "Secondary"}]}, "published": "2026-03-11T17:16:56.783", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2026-0303"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "psirt@cisco.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2.2510,10.2.2510.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.1.2507,10.1.2507.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0.2503,10.0.2503.11)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3.2411,9.3.2411.123)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Cloud Platform", "source": "cna", "vendor": "Splunk"}, "product": "splunk_cloud_platform", "vendor": "splunk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.4,9.4.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3,9.3.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Enterprise", "source": "cna", "vendor": "Splunk"}, "product": "splunk_enterprise", "vendor": "splunk"}], "analysis": {"en": {"generated_at": "2026-03-24T18:57:01.514195+00:00", "value": {"mitigation_remediation": ["Apply the latest Splunk Enterprise update (10.2.0 or later) or Splunk Cloud Platform update (10.2.2510.5 or later).", "If a patch cannot be applied immediately, restrict the /splunkd/__raw/servicesNS/-/-/configs/conf-passwords endpoint to users with the admin or power role or disable the endpoint entirely.", "Verify that all configured Splunk roles are correctly assigned and remove any users from roles that grant unwarranted access to the endpoint.", "Perform a security audit of stored passwords to ensure no plaintext credentials remain in passwords.conf."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "Splunk Enterprise versions earlier than 10.2.0, 10.0.3, 9.4.9, and 9.3.10 and Splunk Cloud Platform versions earlier than 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123 are affected. The vulnerability exists in the /splunkd/__raw/servicesNS/-/-/configs/conf-passwords REST endpoint and applies to all deployments of these products that use standard access controls.", "description_and_impact": "An improper access control flaw in Splunk Enterprise and Splunk Cloud Platform allows users without the admin or power roles to call a REST API that exposes the passwords.conf file. The data returned can contain hashed or plaintext password values, giving the adversary untrusted credentials from the system. This results in potential compromise of service accounts and downstream systems that rely on those credentials, increasing the depth of the breach.", "risk_and_exploitability": "The CVSS v3.1 score of 6.5 indicates moderate severity, and the EPSS score of less than 1% suggests exploitation is unlikely at present. The vulnerability is not listed in the CISA KEV catalog, reducing the likelihood of widespread, known exploitation. Nonetheless, an attacker who can authenticate as a low-privileged Splunk user can directly query the API endpoint and retrieve sensitive password data. The attack vector is inferred to be over the Splunk REST API (HTTP/HTTPS) and requires only application-level authentication, which most users possess."}}}}, "created": "2026-03-12T09:57:59.780338+00:00", "updated": "2026-03-25T11:50:14.441569+00:00", "vendors": ["splunk", "splunk$PRODUCT$splunk_cloud_platform", "splunk$PRODUCT$splunk_enterprise"]}