{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20202", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.397Z", "datePublished": "2026-04-15T15:17:43.871Z", "dateUpdated": "2026-04-16T03:55:28.582Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "10.2", "status": "affected", "versionType": "custom", "lessThan": "10.2.2"}, {"version": "10.0", "status": "affected", "versionType": "custom", "lessThan": "10.0.5"}, {"version": "9.4", "status": "affected", "versionType": "custom", "lessThan": "9.4.10"}, {"version": "9.3", "status": "affected", "versionType": "custom", "lessThan": "9.3.11"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "10.4.2603", "status": "affected", "versionType": "custom", "lessThan": "Not Affected"}, {"version": "10.3.2512", "status": "affected", "versionType": "custom", "lessThan": "10.3.2512.6"}, {"version": "10.2.2510", "status": "affected", "versionType": "custom", "lessThan": "10.2.2510.10"}, {"version": "10.1.2507", "status": "affected", "versionType": "custom", "lessThan": "10.1.2507.20"}, {"version": "10.0.2503", "status": "affected", "versionType": "custom", "lessThan": "10.0.2503.13"}, {"version": "9.3.2411", "status": "affected", "versionType": "custom", "lessThan": "9.3.2411.127"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users."}], "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0401"}], "title": "Improper Input Validation during User Account Creation in Splunk Enterprise", "datePublic": "2026-04-15T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "baseScore": 6.6, "baseSeverity": "MEDIUM"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "The software does not properly handle when an input contains Unicode encoding.", "cweId": "CWE-176"}]}], "source": {"advisory": "SVD-2026-0401"}, "credits": [{"lang": "en", "value": "Ryan Luke<br><br>Mahfujur Rahman (mahfujwhh)"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-04-15T15:17:43.871Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-20202"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T03:55:28.582Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20202", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T18:44:31.460792Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T18:44:34.952Z"}}], "cna": {"title": "Improper Input Validation during User Account Creation in Splunk Enterprise", "source": {"advisory": "SVD-2026-0401"}, "credits": [{"lang": "en", "value": "Ryan Luke<br><br>Mahfujur Rahman (mahfujwhh)"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 6.6, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "10.2", "lessThan": "10.2.2", "versionType": "custom"}, {"status": "affected", "version": "10.0", "lessThan": "10.0.5", "versionType": "custom"}, {"status": "affected", "version": "9.4", "lessThan": "9.4.10", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.11", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "10.4.2603", "lessThan": "Not Affected", "versionType": "custom"}, {"status": "affected", "version": "10.3.2512", "lessThan": "10.3.2512.6", "versionType": "custom"}, {"status": "affected", "version": "10.2.2510", "lessThan": "10.2.2510.10", "versionType": "custom"}, {"status": "affected", "version": "10.1.2507", "lessThan": "10.1.2507.20", "versionType": "custom"}, {"status": "affected", "version": "10.0.2503", "lessThan": "10.0.2503.13", "versionType": "custom"}, {"status": "affected", "version": "9.3.2411", "lessThan": "9.3.2411.127", "versionType": "custom"}]}], "datePublic": "2026-04-15T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0401"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-176", "description": "The software does not properly handle when an input contains Unicode encoding."}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-04-15T15:17:43.871Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20202", "state": "PUBLISHED", "dateUpdated": "2026-04-16T03:55:28.582Z", "dateReserved": "2025-10-08T11:59:15.397Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2026-04-15T15:17:43.871Z", "assignerShortName": "cisco"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9A537203-F31B-44A1-BB9E-C62F4539FA0B", "versionEndExcluding": "9.3.11", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "0205D102-93C7-42FA-A33E-E517BB7760C4", "versionEndExcluding": "9.4.10", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "D5A01879-50A5-4266-A08C-F55584F442ED", "versionEndExcluding": "10.0.5", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9F3A147D-2A67-469A-A223-248DEFB413E0", "versionEndExcluding": "10.2.2", "versionStartIncluding": "10.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "6FCB2A3C-8069-4AAC-8746-4B9679DE8116", "versionEndExcluding": "9.3.2411.127", "versionStartIncluding": "9.3.2411", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5C098C2-9ED5-41B4-BE57-984B71027144", "versionEndExcluding": "10.0.2503.13", "versionStartIncluding": "10.0.2503", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "9CD48754-5DBD-499A-9004-BD8D948E548A", "versionEndExcluding": "10.1.2507.20", "versionStartIncluding": "10.1.2507", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "601A4BEC-6F0D-4A52-8B68-18902574E84C", "versionEndExcluding": "10.2.2510.10", "versionStartIncluding": "10.2.2510", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "29253EBC-0E89-46ED-B504-E81F5D4E7E3F", "versionEndExcluding": "10.3.2512.6", "versionStartIncluding": "10.3.2512", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users."}], "id": "CVE-2026-20202", "lastModified": "2026-04-17T19:10:36.220", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "psirt@cisco.com", "type": "Primary"}]}, "published": "2026-04-15T16:16:34.120", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2026-0401"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-176"}], "source": "psirt@cisco.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.4.2603)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.3.2512,10.3.2512.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2.2510,10.2.2510.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.1.2507,10.1.2507.20)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0.2503,10.0.2503.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3.2411,9.3.2411.127)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Cloud Platform", "source": "cna", "vendor": "Splunk"}, "product": "splunk_cloud_platform", "vendor": "splunk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2,10.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.4,9.4.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3,9.3.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Enterprise", "source": "cna", "vendor": "Splunk"}, "product": "splunk_enterprise", "vendor": "splunk"}], "analysis": {"en": {"generated_at": "2026-04-15T19:24:29.633101+00:00", "value": {"mitigation_remediation": ["Upgrade Splunk Enterprise to version 10.2.2 or later and Splunk Cloud Platform to version 10.4.2603.0 or later.", "Restrict the edit_user capability to only trusted administrative roles and audit role assignments regularly.", "Implement application\u2011level validation to reject usernames containing null bytes or non\u2011UTF\u20118 percent\u2011encoded characters until an official patch is applied."], "summary": {"action": "Patch", "impact": "Account Management Disruption"}, "threat_synthesis": {"affected_systems": "Affected systems include Splunk Enterprise versions prior to 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions prior to 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127. Only users with a role that contains the high\u2011privilege edit_user capability can exploit the flaw.", "description_and_impact": "Splunk Enterprise and Splunk Cloud Platform allow a user with the edit_user capability to create usernames that contain a null byte or a non\u2011UTF\u20118 percent\u2011encoded byte. The input validation fails to normalize these values before storing them, resulting in usernames that are stored inconsistently. This inconsistency can prevent legitimate editing or deletion of the affected accounts, effectively disabling management of those user identities and compromising the normal operation of the authentication subsystem.", "risk_and_exploitability": "The CVSS score of 6.6 indicates a medium severity vulnerability. No EPSS score is available, so the likelihood of exploitation is unknown, and the vulnerability is not listed in the CISA KEV catalog. The flaw requires an attacker to possess a role with the edit_user privilege, which is typically held by internal administrators. Therefore the attack vector is likely internal or from a compromised privileged account. An attacker could create malformed accounts and then cause the system to be unable to delete or modify them, leading to account management chaos. No remote code execution or privilege escalation beyond the existing edit_user role is implied by the provided information."}}}}, "created": "2026-04-15T19:15:11.918187+00:00", "updated": "2026-04-15T19:30:12.383391+00:00", "vendors": ["splunk", "splunk$PRODUCT$splunk_cloud_platform", "splunk$PRODUCT$splunk_enterprise"]}