A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Six years. Gartner® Magic Quadrant™ Leader.Find Out Why
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-20139

CVE-2026-20139: Splunk Enterprise DoS Vulnerability

CVE-2026-20139 is a client-side denial-of-service flaw in Splunk Enterprise that lets low-privileged users inject malicious payloads to slow or freeze Splunk Web. This article covers technical details, affected versions, and mitigations.

Updated: May 15, 2026

CVE-2026-20139 Overview

CVE-2026-20139 is a client-side denial-of-service (DoS) vulnerability affecting Splunk Enterprise and Splunk Cloud Platform. The flaw allows a low-privileged authenticated user, lacking the admin or power Splunk role, to inject a malicious payload into the realname, tz, or email parameters of the /splunkd/__raw/services/authentication/users/username REST API endpoint during a password change. The payload causes Splunk Web to slow significantly or become temporarily unresponsive when rendered. The vulnerability is tracked under CWE-400: Uncontrolled Resource Consumption.

Critical Impact

Authenticated low-privileged users can degrade Splunk Web availability for other users by injecting crafted payloads into user profile fields exposed through the authentication REST API.

Affected Products

  • Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12
  • Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121
  • Splunk Web component shipped with the affected releases

Discovery Timeline

  • 2026-02-18 - CVE-2026-20139 published to NVD
  • 2026-02-20 - Last updated in NVD database

Technical Details for CVE-2026-20139

Vulnerability Analysis

The vulnerability exists in the user profile update flow handled by the /splunkd/__raw/services/authentication/users/username REST API endpoint. When a user changes their password, the endpoint accepts attribute updates for the realname, tz, and email parameters without enforcing constraints sufficient to prevent resource-intensive content from being stored. Once persisted, Splunk Web retrieves and renders these attributes in its frontend interface.

The rendering pipeline does not adequately validate the size or structure of the supplied values. A crafted payload submitted by a low-privileged user is therefore returned to any client that loads pages referencing the affected user record, where it consumes excessive browser resources. The result is a client-side denial-of-service condition that slows page loads or freezes Splunk Web sessions.

The attack requires authentication but does not require admin or power role membership. The integrity and confidentiality of stored data are unaffected; only availability of the Splunk Web user interface is impacted.

Root Cause

The root cause is uncontrolled resource consumption [CWE-400] in the handling of user-controlled profile attributes. The affected REST endpoint accepts and stores arbitrary content in the realname, tz, and email fields without enforcing length, character set, or structural validation. Splunk Web then processes this content client-side without protective rendering limits.

Attack Vector

An authenticated attacker sends a POST request to the /splunkd/__raw/services/authentication/users/username endpoint during a password change operation. The request body includes a malicious payload in one or more of the realname, tz, or email parameters. The payload is persisted in the user record. When another user or administrator navigates to a Splunk Web page that renders the modified profile fields, the browser session degrades or becomes unresponsive.

The vulnerability is described in prose only because no public proof-of-concept code is available. Refer to the Splunk Security Advisory SVD-2026-0204 for vendor technical details.

Detection Methods for CVE-2026-20139

Indicators of Compromise

  • POST or PUT requests to /splunkd/__raw/services/authentication/users/<username> originating from non-administrative accounts and containing unusually large realname, tz, or email field values.
  • User records where the realname, tz, or email attributes contain non-standard characters, repeated patterns, or values exceeding typical length expectations.
  • Splunk Web user reports of unresponsive pages, browser hangs, or unusually long load times when viewing user management or related dashboards.

Detection Strategies

  • Audit the _audit index for action=edit_user events and inspect parameter values supplied for realname, tz, and email.
  • Build a search that flags user-profile updates where field length exceeds an organizational baseline, for example values longer than 256 characters.
  • Correlate password-change events from non-privileged accounts with subsequent reports of Splunk Web performance degradation.

Monitoring Recommendations

  • Enable verbose audit logging on the authentication/users REST endpoint and forward logs to a centralized analytics platform for review.
  • Monitor browser-side performance telemetry from administrators who access user management interfaces.
  • Track the distribution of user role assignments and review any password-change activity from accounts without admin or power roles.

How to Mitigate CVE-2026-20139

Immediate Actions Required

  • Upgrade Splunk Enterprise to version 10.2.0, 10.0.2, 9.4.8, 9.3.9, 9.2.12, or later as appropriate for your maintenance track.
  • Confirm that Splunk Cloud Platform tenants are running version 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, 9.3.2411.121, or later.
  • Review existing user accounts for anomalously large or malformed realname, tz, or email values and sanitize them.

Patch Information

Splunk has released fixed versions across all supported maintenance tracks. Apply the upgrades listed in the Splunk Security Advisory SVD-2026-0204. Splunk Cloud Platform customers receive patches through the standard Splunk-managed update process.

Workarounds

  • Restrict use of the password-change workflow to trusted authentication paths and consider integrating an external identity provider that bypasses the affected endpoint.
  • Apply network or proxy-level input size limits on requests to /splunkd/__raw/services/authentication/users/.
  • Audit and minimize the number of accounts that can authenticate to Splunk Web until upgrades are deployed.
bash
# Configuration example: verify installed Splunk version before and after upgrade
$SPLUNK_HOME/bin/splunk version

# Example REST query to enumerate user attribute lengths for review
curl -k -u admin:<password> \
  https://splunk.example.com:8089/services/authentication/users \
  --get -d output_mode=json | \
  jq '.entry[] | {name: .name, realname_len: (.content.realname|length), email_len: (.content.email|length)}'

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechSplunk
  • SeverityMEDIUM
  • CVSS Score4.3
  • EPSS Probability0.09%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityLow
  • CWE References
  • CWE-400
  • Vendor Resources
  • Splunk Security Advisory SVD-2026-0204
  • Related CVEs
  • CVE-2026-20240: Splunk Enterprise DoS Vulnerability
  • CVE-2024-36982: Splunk Cloud DOS Vulnerability
  • CVE-2024-22165: Splunk Enterprise Security DoS Vulnerability
  • CVE-2023-32706: Splunk Enterprise SAML DOS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English