CVE-2026-20139

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.2.0 Splunk Enterprise versions 10.0.2 through 10.0.2 Splunk Enterprise versions 9.2.12 through 9.4.8 Splunk Enterprise versions 9.3.9 Splunk Cloud Platform versions prior to 10.2.2510.3 Splunk Cloud Platform versions 10.0.2503.9 through 10.1.2507.8 Splunk Cloud Platform versions 9.3.2411.121

Description A user with limited privileges, lacking 'admin' or 'power' roles in Splunk, can create a malicious payload within the realname, tz, or email parameters of the /splunkd/ raw/services/authentication/users/username REST API endpoint when changing a password. This could potentially cause a client-side denial-of-service (DoS), significantly slowing page load times or causing Splunk Web to become temporarily unresponsive. The API endpoint is /splunkd/ raw/services/authentication/users/username. The vulnerable parameters are realname, tz, and email.

Recommendations Update Splunk Enterprise to version 10.2.0 or later. Update Splunk Enterprise to version 10.0.2 or later. Update Splunk Enterprise to version 9.4.8 or later. Update Splunk Enterprise to version 9.3.9 or later. Update Splunk Enterprise to version 9.2.12 or later. Update Splunk Cloud Platform to version 10.2.2510.3 or later. Update Splunk Cloud Platform to version 10.1.2507.8 or later. Update Splunk Cloud Platform to version 10.0.2503.9 or later. Update Splunk Cloud Platform to version 9.3.2411.121 or later.