{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20165", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.390Z", "datePublished": "2026-03-11T16:17:54.427Z", "dateUpdated": "2026-03-12T16:19:44.284Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "10.2", "status": "affected", "versionType": "custom", "lessThan": "10.2.1"}, {"version": "10.0", "status": "affected", "versionType": "custom", "lessThan": "10.0.4"}, {"version": "9.4", "status": "affected", "versionType": "custom", "lessThan": "9.4.9"}, {"version": "9.3", "status": "affected", "versionType": "custom", "lessThan": "9.3.10"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "10.2.2510", "status": "affected", "versionType": "custom", "lessThan": "10.2.2510.7"}, {"version": "10.1.2507", "status": "affected", "versionType": "custom", "lessThan": "10.1.2507.17"}, {"version": "10.0.2503", "status": "affected", "versionType": "custom", "lessThan": "10.0.2503.12"}, {"version": "9.3.2411", "status": "affected", "versionType": "custom", "lessThan": "9.3.2411.124"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel."}], "value": "In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0304"}], "title": "Sensitive Information Disclosure in MongoClient logging channel in Splunk Enterprise", "datePublic": "2026-03-11T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.", "cweId": "CWE-532"}]}], "source": {"advisory": "SVD-2026-0304"}, "credits": [{"lang": "en", "value": "John Copeland"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-03-11T16:17:54.427Z"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-532", "lang": "en", "description": "CWE-532 Insertion of Sensitive Information into Log File"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T15:40:54.433220Z", "id": "CVE-2026-20165", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T16:19:44.284Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20165", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T15:40:54.433220Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "CWE-532 Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T15:41:04.576Z"}}], "cna": {"title": "Sensitive Information Disclosure in MongoClient logging channel in Splunk Enterprise", "source": {"advisory": "SVD-2026-0304"}, "credits": [{"lang": "en", "value": "John Copeland"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "10.2", "lessThan": "10.2.1", "versionType": "custom"}, {"status": "affected", "version": "10.0", "lessThan": "10.0.4", "versionType": "custom"}, {"status": "affected", "version": "9.4", "lessThan": "9.4.9", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.10", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "10.2.2510", "lessThan": "10.2.2510.7", "versionType": "custom"}, {"status": "affected", "version": "10.1.2507", "lessThan": "10.1.2507.17", "versionType": "custom"}, {"status": "affected", "version": "10.0.2503", "lessThan": "10.0.2503.12", "versionType": "custom"}, {"status": "affected", "version": "9.3.2411", "lessThan": "9.3.2411.124", "versionType": "custom"}]}], "datePublic": "2026-03-11T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0304"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-532", "description": "Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information."}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-03-11T16:17:54.427Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20165", "state": "PUBLISHED", "dateUpdated": "2026-03-12T16:19:44.284Z", "dateReserved": "2025-10-08T11:59:15.390Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2026-03-11T16:17:54.427Z", "assignerShortName": "cisco"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "BFBDF80A-51CC-470E-977C-96ABBF89162D", "versionEndExcluding": "9.3.10", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "ACAC2D08-9ED6-4E58-A999-0EE2025C69FC", "versionEndExcluding": "9.4.9", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "1E7483F3-FE84-42B9-A2E7-6E89B110BA31", "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:10.2.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "122C01E6-CD7E-44B3-BC65-2ACEDFE704E5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "5198A912-AABA-40D1-8DE1-958E6584501B", "versionEndExcluding": "9.3.2411.124", "versionStartIncluding": "9.3.2411", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA248FBD-6AFF-492C-93A8-17EAA7C07FC1", "versionEndExcluding": "10.0.2503.12", "versionStartIncluding": "10.0.2503", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "A28B5F1D-ED23-4969-A54D-5DE1FF1EADF9", "versionEndExcluding": "10.1.2507.17", "versionStartIncluding": "10.1.2507", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "B333EE88-B86D-4E13-B119-7D0523B76376", "versionEndExcluding": "10.2.2510.7", "versionStartIncluding": "10.2.2510", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124, a low-privileged user that does not hold the \"admin\" or \"power\" Splunk roles could retrieve sensitive information by inspecting the job's search log due to improper access control in the MongoClient logging channel."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a 10.2.1, 10.0.4, 9.4.9 y 9.3.10, y en las versiones de Splunk Cloud Platform anteriores a 10.2.2510.7, 10.1.2507.17, 10.0.2503.12 y 9.3.2411.124, un usuario con privilegios bajos que no posee los roles de Splunk 'admin' o 'power' podr\u00eda recuperar informaci\u00f3n sensible al inspeccionar el registro de b\u00fasqueda del trabajo debido a un control de acceso inadecuado en el canal de registro de MongoClient."}], "id": "CVE-2026-20165", "lastModified": "2026-03-24T17:55:15.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "psirt@cisco.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T17:16:56.943", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2026-0304"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "psirt@cisco.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2.2510,10.2.2510.7)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.1.2507,10.1.2507.17)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0.2503,10.0.2503.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3.2411,9.3.2411.124)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Cloud Platform", "source": "cna", "vendor": "Splunk"}, "product": "splunk_cloud_platform", "vendor": "splunk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2,10.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.4,9.4.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3,9.3.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Enterprise", "source": "cna", "vendor": "Splunk"}, "product": "splunk_enterprise", "vendor": "splunk"}], "analysis": {"en": {"generated_at": "2026-03-24T19:40:21.345191+00:00", "value": {"mitigation_remediation": ["Upgrade Splunk Enterprise to the latest supported release (at least 10.2.1, 10.0.4, 9.4.9, or 9.3.10, depending on your product version).", "Apply the most recent Splunk Cloud Platform update (10.2.2510.7 or newer, or the equivalent release for your service).", "If an immediate update is not possible, restrict non\u2011admin user access to search logs through role\u2011based permissions to mitigate exposure."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "Splunk Enterprise installations prior to versions 10.2.1, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform releases earlier than 10.2.2510.7, 10.1.2507.17, 10.0.2503.12, and 9.3.2411.124 are vulnerable. These include both the enterprise appliance and the cloud\u2011based service.", "description_and_impact": "This vulnerability allows a user without elevated Splunk roles to read sensitive search log data through the MongoClient logging channel. The improper access control exposes confidential information that should only be available to administrators, compromising confidentiality for affected accounts.", "risk_and_exploitability": "The CVSS score of 6.3 indicates moderate severity, and the EPSS score of less than 1 percent suggests a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack requires authenticated access as a low\u2011privileged user; no remote unauthenticated vector is described, so exploitation is limited to users who can log into the Splunk instance."}}}}, "created": "2026-03-12T09:58:00.679487+00:00", "updated": "2026-03-25T11:50:15.372006+00:00", "vendors": ["splunk", "splunk$PRODUCT$splunk_cloud_platform", "splunk$PRODUCT$splunk_enterprise"]}