CVE-2026-20138 Overview
A sensitive information disclosure vulnerability exists in Splunk Enterprise that allows privileged users with access to the _internal index in a Search Head Cluster (SHC) deployment to view Duo Two-Factor Authentication secrets in plain text. This vulnerability exposes the integrationKey, secretKey, and appSecretKey credentials generated by the Duo Two-Factor Authentication for Splunk Enterprise integration.
Critical Impact
Exposure of Duo authentication secrets could allow attackers with elevated privileges to compromise the two-factor authentication mechanism, potentially bypassing MFA protections and gaining unauthorized access to Splunk environments.
Affected Products
- Splunk Enterprise versions below 10.2.0
- Splunk Enterprise versions below 10.0.2
- Splunk Enterprise versions below 9.4.7, 9.3.9, and 9.2.11
Discovery Timeline
- 2026-02-18 - CVE CVE-2026-20138 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-20138
Vulnerability Analysis
This vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File), indicating that the Duo authentication secrets are being written to log files or internal indices in an insecure manner. When Duo Two-Factor Authentication is configured for Splunk Enterprise, the integration generates three critical secrets: integrationKey, secretKey, and appSecretKey. These credentials are essential for the Duo authentication flow and should be protected with appropriate access controls.
In vulnerable versions, these secrets are stored in plain text within the _internal index, which is Splunk's internal logging and metrics repository. Users who hold roles with read access to this index can query and retrieve these sensitive authentication credentials. While this requires elevated privileges (adjacent network access with high privileges), the exposure of these secrets represents a significant security risk for organizations using Duo MFA to protect their Splunk deployments.
Root Cause
The root cause of this vulnerability is improper handling of sensitive authentication credentials within Splunk's logging infrastructure. The Duo authentication integration writes configuration secrets to the _internal index without proper redaction or encryption. This is a violation of security best practices for credential storage, as authentication secrets should never be logged in plain text or stored in locations accessible to users who don't require direct access to these credentials.
Attack Vector
The attack vector requires an authenticated user with a role that grants access to the Splunk _internal index within a Search Head Cluster (SHC) deployment. An attacker would need to:
- Gain or possess legitimate access to a Splunk Enterprise instance configured with Duo Two-Factor Authentication
- Have a role with permissions to query the _internal index
- Execute search queries against the _internal index to locate and extract the Duo authentication secrets
- Use the extracted integrationKey, secretKey, and appSecretKey to potentially bypass or manipulate the Duo MFA integration
The vulnerability manifests in the logging mechanism that stores Duo authentication configuration data. Organizations should review the Splunk Security Advisory SVD-2026-0203 for technical details on affected components.
Detection Methods for CVE-2026-20138
Indicators of Compromise
- Unusual search queries targeting the _internal index looking for patterns like integrationKey, secretKey, or appSecretKey
- Increased access to the _internal index by users who don't typically query internal metrics
- Search audit logs showing queries containing Duo-related field names or authentication configuration terms
- Unexpected Duo authentication failures or anomalies that may indicate credential misuse
Detection Strategies
- Enable and review Splunk audit logs for searches against the _internal index
- Create correlation searches to alert on queries containing sensitive credential field names
- Monitor user activity logs for role assignments that grant _internal index access
- Implement search filters that alert when users query for known sensitive configuration patterns
Monitoring Recommendations
- Deploy SentinelOne Singularity to monitor endpoint activity on Splunk infrastructure servers
- Establish baseline access patterns for the _internal index and alert on deviations
- Configure Splunk's own alerting capabilities to detect suspicious search patterns
- Review Duo admin panel logs for authentication attempts using potentially compromised credentials
How to Mitigate CVE-2026-20138
Immediate Actions Required
- Upgrade Splunk Enterprise to version 10.2.0, 10.0.2, 9.4.7, 9.3.9, or 9.2.11 or later depending on your version branch
- Audit all roles with access to the _internal index and restrict permissions where possible
- Rotate all Duo authentication credentials (integrationKey, secretKey, appSecretKey) after upgrading
- Review search history and audit logs for potential prior exposure of credentials
Patch Information
Splunk has released security patches addressing this vulnerability. Organizations should update to the following minimum versions based on their deployment:
- Splunk Enterprise 10.2.0 or later (for 10.2.x branch)
- Splunk Enterprise 10.0.2 or later (for 10.0.x branch)
- Splunk Enterprise 9.4.7 or later (for 9.4.x branch)
- Splunk Enterprise 9.3.9 or later (for 9.3.x branch)
- Splunk Enterprise 9.2.11 or later (for 9.2.x branch)
For detailed patch information, refer to the Splunk Security Advisory SVD-2026-0203.
Workarounds
- Restrict access to the _internal index to only essential administrative roles until patches can be applied
- Implement role-based access controls (RBAC) to limit which users can query internal indices
- Consider temporarily disabling Duo integration logging if operationally feasible until the upgrade is complete
- Use Splunk's index-level permissions to add additional access restrictions to sensitive internal data
# Review and restrict access to _internal index
# Run in Splunk CLI to check current role permissions
splunk btool authorize list --debug | grep -A 10 "_internal"
# Example: Create a restricted role without _internal access
# In authorize.conf:
# [role_restricted_user]
# importRoles = user
# srchIndexesAllowed = main;summary
# srchIndexesDefault = main
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
