SB2026052156 - Multiple vulnerabilities in Splunk Enterprise

Description

This security bulletin contains information about 2 vulnerabilities.

1) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-20239)

CWE-ID: CWE-532 - Information Exposure Through Log Files

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to missing output buffer sanitization in the TcpChannel component when discarding data during socket errors. A remote user can access the _internal index to disclose sensitive information.

Exposed data may include session cookies and response bodies containing sensitive information.

2) Input validation error (CVE-ID: CVE-2026-20240)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper input validation in coldToFrozen.sh script in the splunk_archiver app when processing user-supplied file paths. A remote user can supply arbitrary file paths to rename critical Splunk directories to cause a denial of service.

Only users that do not hold the admin or power Splunk roles can exploit this issue, and instances that do not use the Splunk Archiver app are not impacted.

Remediation

Install update from vendor's website.

References

• https://advisory.splunk.com/advisories/SVD-2026-0503
• https://advisory.splunk.com/advisories/SVD-2026-0504