Splunk Patches Multiple Vulnerabilities that Enable DOS Attack and Exposes Sensitive Data
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Splunk has released security updates addressing multiple vulnerabilities across Splunk Enterprise<\/a>, Splunk Cloud Platform, and the Splunk AI Toolkit that could lead to denial-of-service (DoS) conditions and exposure of sensitive data.<\/p>\n The issues, disclosed on May 20, 2026, include three tracked vulnerabilities: CVE-2026-20238, CVE-2026-20239, and CVE-2026-20240.<\/p>\n A medium-severity flaw (CVSS 6.5) affects Splunk AI Toolkit versions below 5.7.3. The issue stems from improper access control caused by misconfigured role inheritance.<\/p>\n Specifically, the toolkit modifies the default \u2018user\u2019 role using an\u00a0 Because Splunk combines inherited search filters using the OR operator, this configuration can override more restrictive filters applied to custom roles.<\/p>\n As a result, low-privileged users without \u2018admin\u2019 or \u2018power\u2019 roles may gain access to sensitive data that should be restricted.<\/p>\n Splunk has fixed this issue in version 5.7.3. As a temporary mitigation, organizations can disable the AI Toolkit or manually modify the\u00a0 However, this workaround may expose the\u00a0 A high-severity vulnerability (CVSS 7.5) impacts Splunk Enterprise and Splunk Cloud Platform.<\/p>\n The flaw is caused by improper output sanitization in the\u00a0TcpChannel\u00a0component, which logs the entire input\/output buffer when socket errors occur.<\/p>\n Attackers with access to the\u00a0 Affected versions include:<\/p>\n Splunk recommends upgrading to the latest patched versions and restricting access to the\u00a0_internal\u00a0index to administrative roles only.<\/p>\n Another high-severity issue (CVSS 7.1) affects the Splunk Archiver app due to improper input validation in the\u00a0 A low-privileged user can exploit this flaw by supplying arbitrary file paths, allowing them to rename critical directories. This can render the Splunk instance inoperable, resulting in a denial-of-service condition<\/a>.<\/p>\n The vulnerability affects multiple versions of Splunk Enterprise (before 10.2.2, 10.0.5, 9.4.11, and 9.3.12) and Splunk Cloud Platform deployments.<\/p>\n Organizations are advised to apply patches immediately<\/a> or turn off the Splunk Archiver app if it is not required. However, turning off the app may interrupt automated data archiving workflows.<\/p>\n Splunk strongly urges users to:<\/p>\n These vulnerabilities highlight the risks associated with misconfigured access controls, insufficient input validation, and insecure logging practices.<\/p>\n Timely patching and proper configuration management remain critical to securing Splunk environments against exploitation.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post Splunk Patches Multiple Vulnerabilities that Enable DOS Attack and Exposes Sensitive Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nSplunk AI Toolkit Access Flaw (CVE-2026-20238<\/a>)<\/strong><\/h3>\n
authorize.conf\u00a0<\/code>file with a\u00a0srchFilter<\/code>\u00a0entry.<\/p>\nauthorization.conf<\/code>\u00a0file to remove or override the\u00a0srchFilter<\/code>\u00a0setting.<\/p>\nai_agent_run_history_index<\/code>\u00a0to broader access, requiring additional restrictions.<\/p>\nSensitive Data Exposure via Logs (CVE-2026-20239<\/a>)<\/strong><\/h3>\n
_internal<\/code>\u00a0index can retrieve sensitive information such as session cookies and HTTP response bodies from log files. This significantly increases the risk of credential theft and session hijacking<\/a>.<\/p>\n\n
Denial-of-Service in Splunk Archiver (CVE-2026-20240<\/a>)<\/strong><\/h3>\n
coldToFrozen.sh<\/code>\u00a0script. This script is used for managing data lifecycle transitions.<\/p>\n\n
as\u00a0_internal<\/code>.<\/li>\n