{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20203", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.397Z", "datePublished": "2026-04-15T15:17:56.261Z", "dateUpdated": "2026-04-15T17:40:36.484Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "10.2", "status": "affected", "versionType": "custom", "lessThan": "10.2.2"}, {"version": "10.0", "status": "affected", "versionType": "custom", "lessThan": "10.0.5"}, {"version": "9.4", "status": "affected", "versionType": "custom", "lessThan": "9.4.10"}, {"version": "9.3", "status": "affected", "versionType": "custom", "lessThan": "9.3.11"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "10.4.2603", "status": "affected", "versionType": "custom", "lessThan": "Not Affected"}, {"version": "10.3.2512", "status": "affected", "versionType": "custom", "lessThan": "10.3.2512.6"}, {"version": "10.2.2510", "status": "affected", "versionType": "custom", "lessThan": "10.2.2510.10"}, {"version": "10.1.2507", "status": "affected", "versionType": "custom", "lessThan": "10.1.2507.19"}, {"version": "10.0.2503", "status": "affected", "versionType": "custom", "lessThan": "10.0.2503.13"}, {"version": "9.3.2411", "status": "affected", "versionType": "custom", "lessThan": "9.3.2411.127"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles,\u00a0has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control."}], "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles,\u00a0has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0402"}], "title": "Improper Access Control in Data Model Acceleration in Splunk Enterprise", "datePublic": "2026-04-15T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.", "cweId": "CWE-284"}]}], "source": {"advisory": "SVD-2026-0402"}, "credits": [{"lang": "en", "value": "Mr Hack (try_to_hack) Santiago Lopez"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-04-15T15:17:56.261Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T17:40:22.461732Z", "id": "CVE-2026-20203", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:40:36.484Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20203", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T17:40:22.461732Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:40:25.838Z"}}], "cna": {"title": "Improper Access Control in Data Model Acceleration in Splunk Enterprise", "source": {"advisory": "SVD-2026-0402"}, "credits": [{"lang": "en", "value": "Mr Hack (try_to_hack) Santiago Lopez"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "10.2", "lessThan": "10.2.2", "versionType": "custom"}, {"status": "affected", "version": "10.0", "lessThan": "10.0.5", "versionType": "custom"}, {"status": "affected", "version": "9.4", "lessThan": "9.4.10", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.11", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "10.4.2603", "lessThan": "Not Affected", "versionType": "custom"}, {"status": "affected", "version": "10.3.2512", "lessThan": "10.3.2512.6", "versionType": "custom"}, {"status": "affected", "version": "10.2.2510", "lessThan": "10.2.2510.10", "versionType": "custom"}, {"status": "affected", "version": "10.1.2507", "lessThan": "10.1.2507.19", "versionType": "custom"}, {"status": "affected", "version": "10.0.2503", "lessThan": "10.0.2503.13", "versionType": "custom"}, {"status": "affected", "version": "9.3.2411", "lessThan": "9.3.2411.127", "versionType": "custom"}]}], "datePublic": "2026-04-15T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0402"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles,\u00a0has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles,\u00a0has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-284", "description": "The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor."}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-04-15T15:17:56.261Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20203", "state": "PUBLISHED", "dateUpdated": "2026-04-15T17:40:36.484Z", "dateReserved": "2025-10-08T11:59:15.397Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2026-04-15T15:17:56.261Z", "assignerShortName": "cisco"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9A537203-F31B-44A1-BB9E-C62F4539FA0B", "versionEndExcluding": "9.3.11", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "0205D102-93C7-42FA-A33E-E517BB7760C4", "versionEndExcluding": "9.4.10", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "D5A01879-50A5-4266-A08C-F55584F442ED", "versionEndExcluding": "10.0.5", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9F3A147D-2A67-469A-A223-248DEFB413E0", "versionEndExcluding": "10.2.2", "versionStartIncluding": "10.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "6FCB2A3C-8069-4AAC-8746-4B9679DE8116", "versionEndExcluding": "9.3.2411.127", "versionStartIncluding": "9.3.2411", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5C098C2-9ED5-41B4-BE57-984B71027144", "versionEndExcluding": "10.0.2503.13", "versionStartIncluding": "10.0.2503", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "2490F8A7-7B04-4E40-9414-02C050DAEB10", "versionEndExcluding": "10.1.2507.19", "versionStartIncluding": "10.1.2507", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "601A4BEC-6F0D-4A52-8B68-18902574E84C", "versionEndExcluding": "10.2.2510.10", "versionStartIncluding": "10.2.2510", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "29253EBC-0E89-46ED-B504-E81F5D4E7E3F", "versionEndExcluding": "10.3.2512.6", "versionStartIncluding": "10.3.2512", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles,\u00a0has write permission on the app, and does not hold the high-privilege capability `accelerate_datamodel`, could turn on or off Data Model Acceleration due to improper access control."}], "id": "CVE-2026-20203", "lastModified": "2026-04-17T19:07:27.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@cisco.com", "type": "Primary"}]}, "published": "2026-04-15T16:16:34.310", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2026-0402"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "psirt@cisco.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,10.4.2603)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.3.2512,10.3.2512.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2.2510,10.2.2510.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.1.2507,10.1.2507.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0.2503,10.0.2503.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3.2411,9.3.2411.127)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Cloud Platform", "source": "cna", "vendor": "Splunk"}, "product": "splunk_cloud_platform", "vendor": "splunk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2,10.2.2)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.4,9.4.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3,9.3.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Enterprise", "source": "cna", "vendor": "Splunk"}, "product": "splunk_enterprise", "vendor": "splunk"}], "analysis": {"en": {"generated_at": "2026-04-16T09:11:56.164131+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest Splunk Enterprise or Splunk Cloud Platform release that contains the fix for this vulnerability.", "Revoke write permissions on applications for users who do not have admin or power roles, ensuring only privileged users can modify application data.", "Verify that the accelerate_datamodel capability is assigned only to roles that truly require it and remove it from roles that require only data model access but not acceleration control."], "summary": {"action": "Apply Patch", "impact": "Improper Access Control allows low\u2011privileged users to toggle Data Model Acceleration"}, "threat_synthesis": {"affected_systems": "Splunk Enterprise versions older than 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions older than 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127 are affected; all newer releases contain the fix.", "description_and_impact": "A flaw in Splunk Enterprise and Splunk Cloud Platform permits a user who has write permission on an application but does not hold the admin or power roles and lacks the accelerate_datamodel capability to enable or disable Data Model Acceleration. The vulnerability does not provide remote code execution or direct data exfiltration; it simply modifies a configuration setting that may change how the system pre\u2011computes and stores data for faster searches.", "risk_and_exploitability": "The CVSS base score is 4.3, indicating low severity, and no EPSS data is available. The vulnerability is not listed in the KEV catalog. Exploitation requires an authenticated user who already has write access to an application but does not possess the admin or power roles. The attacker can toggle acceleration without granting higher privileges or causing code execution, so the impact is limited to altering search performance characteristics within that Splunk deployment."}}}}, "created": "2026-04-16T03:00:08.998121+00:00", "updated": "2026-04-16T09:15:30.990045+00:00", "vendors": ["splunk", "splunk$PRODUCT$splunk_cloud_platform", "splunk$PRODUCT$splunk_enterprise"]}