Login Sign Up

CVE-2026-20141

4.3 MEDIUM

📋 TL;DR

A low-privileged user without admin role can access Splunk Monitoring Console endpoints due to improper access control in vulnerable Splunk Enterprise versions. This leads to sensitive information disclosure. Only affects on-premises Splunk Enterprise, not Splunk Cloud Platform.

💻 Affected Systems

Products:
  • Splunk Enterprise
Versions: Below 10.0.2, 10.0.3, 9.4.8, and 9.3.9
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Monitoring Console is a bundled app with Splunk Enterprise. Not available on SplunkBase or installed on Splunk Cloud Platform instances.

📦 What is this software?

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

Splunk by Splunk

View all CVEs affecting Splunk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Low-privileged users gain access to monitoring data, potentially exposing system metrics, performance data, and operational insights that could aid further attacks.

🟠

Likely Case

Unauthorized users access monitoring dashboards and metrics, violating data confidentiality but not enabling system modification.

🟢

If Mitigated

With proper role-based access controls, only authorized admin users can access monitoring console, preventing information disclosure.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires authenticated low-privileged user account. Simple access to monitoring endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.2, 10.0.3, 9.4.8, or 9.3.9

Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2026-0206

Restart Required: Yes

Instructions:

1. Backup Splunk configuration. 2. Download appropriate patched version from Splunk downloads. 3. Stop Splunk services. 4. Install update. 5. Restart Splunk services. 6. Verify version and functionality.

🔧 Temporary Workarounds

Restrict Monitoring Console Access

all

Modify role permissions to restrict access to Monitoring Console endpoints

splunk edit user <username> -role <role> -capability edit_monitoring_console_access=false

🧯 If You Can't Patch

  • Review and restrict user roles to minimize low-privileged accounts
  • Implement network segmentation to limit access to Splunk monitoring interfaces

🔍 How to Verify

Check if Vulnerable:

Check Splunk version via web interface or CLI. If version is below patched versions and Monitoring Console is accessible by non-admin users, system is vulnerable.

Check Version:

splunk version

Verify Fix Applied:

After patching, verify version is 10.0.2/10.0.3, 9.4.8, or 9.3.9. Test that low-privileged users cannot access Monitoring Console endpoints.

📡 Detection & Monitoring

Log Indicators:

  • Access logs showing non-admin users accessing /en-US/app/monitoring_console/ endpoints
  • Failed authentication attempts to monitoring endpoints

Network Indicators:

  • HTTP requests to monitoring console paths from non-admin user accounts

SIEM Query:

index=_internal source=*access.log uri_path="/en-US/app/monitoring_console/*" user!=admin

📊 Metadata

CVE ID: CVE-2026-20141
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-200
Published: February 18, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-20141, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)