CVE-2026-20138
📋 TL;DR
This vulnerability allows users with access to Splunk's _internal index to view sensitive authentication secrets in plain text. Specifically, Duo Two-Factor Authentication integration keys, secret keys, and app secret keys are exposed. This affects Splunk Enterprise Search Head Cluster deployments with Duo integration enabled.
💻 Affected Systems
- Splunk Enterprise
📦 What is this software?
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
An attacker with access to the _internal index could steal Duo authentication secrets, potentially bypassing two-factor authentication and gaining unauthorized access to Splunk systems or connected services.
Likely Case
Internal users with legitimate access to the _internal index could inadvertently or intentionally view and misuse sensitive authentication secrets, compromising the security of Duo integration.
If Mitigated
With proper access controls limiting _internal index access to only essential administrators, the exposure risk is significantly reduced.
🎯 Exploit Status
Exploitation requires a user account with access to the _internal index, which is typically restricted to administrators or specific roles.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.2.0, 10.0.2, 9.4.7, 9.3.9, or 9.2.11
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2026-0203
Restart Required: Yes
Instructions:
1. Identify your current Splunk Enterprise version. 2. Upgrade to the appropriate patched version based on your current release track. 3. Restart Splunk services after upgrade. 4. Verify the fix by checking that Duo secrets are no longer visible in plain text in the _internal index.
🔧 Temporary Workarounds
Restrict _internal index access
allLimit access to the _internal index to only essential administrative users who absolutely require it.
splunk edit user <username> -roles <role_without_internal_access>
splunk edit role <rolename> -srchIndexesDefault <indexes> -srchIndexesAllowed <indexes>
Disable Duo integration temporarily
allIf Duo two-factor authentication is not critical, temporarily disable it until patching can be completed.
Edit authentication.conf to disable Duo settings
🧯 If You Can't Patch
- Immediately restrict access to the _internal index to the smallest possible set of users
- Implement additional monitoring and auditing for access to the _internal index
🔍 How to Verify
Check if Vulnerable:
Check if Duo authentication secrets are visible in plain text by searching the _internal index for patterns matching integrationKey, secretKey, or appSecretKey values.Check Version:
splunk versionVerify Fix Applied:
After patching, verify that searching the _internal index no longer returns plain text Duo authentication secrets.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to the _internal index
- Search queries targeting Duo-related fields in _internal index
Network Indicators:
- N/A - This is a data exposure issue, not network exploitable
SIEM Query:
index=_internal (integrationKey OR secretKey OR appSecretKey) | stats count by user, src