CVE-2026-20164 Overview
A sensitive information disclosure vulnerability exists in Splunk Enterprise and Splunk Cloud Platform due to improper access control on the /splunkd/__raw/servicesNS/-/-/configs/conf-passwords REST API endpoint. This vulnerability allows low-privileged users who do not hold the "admin" or "power" Splunk roles to access hashed or plaintext password values stored in the passwords.conf configuration file.
Critical Impact
Unauthorized disclosure of sensitive credentials stored in Splunk's password configuration could enable attackers to escalate privileges, move laterally within the network, or compromise integrated systems that rely on credentials stored in Splunk.
Affected Products
- Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10
- Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123
Discovery Timeline
- March 11, 2026 - CVE-2026-20164 published to NVD
- March 12, 2026 - Last updated in NVD database
Technical Details for CVE-2026-20164
Vulnerability Analysis
This vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw stems from insufficient authorization checks on a sensitive REST API endpoint within Splunk's management interface. When authenticated users with low-privilege roles (not holding "admin" or "power" roles) make requests to the vulnerable endpoint, the application fails to validate their authorization level before returning credential data.
The exposed passwords.conf file is a critical Splunk configuration file that stores credentials used for integrations with external systems, data inputs, and other authenticated services. Depending on Splunk's configuration, these passwords may be stored in hashed form or, in some cases, in plaintext format.
Root Cause
The root cause is improper access control implementation on the /splunkd/__raw/servicesNS/-/-/configs/conf-passwords REST API endpoint. The endpoint lacks proper role-based access control (RBAC) validation, allowing any authenticated user to retrieve sensitive password configuration data regardless of their assigned Splunk roles.
Attack Vector
An attacker with valid low-privilege credentials to a Splunk Enterprise or Splunk Cloud Platform instance can exploit this vulnerability by sending authenticated HTTP requests to the vulnerable REST API endpoint. The attack is network-accessible and requires low-privilege authentication but no user interaction.
The exploitation process involves:
- Obtaining valid low-privilege credentials to the target Splunk instance
- Authenticating to the Splunk REST API
- Sending a GET request to /splunkd/__raw/servicesNS/-/-/configs/conf-passwords
- Parsing the response to extract hashed or plaintext credentials from the passwords.conf configuration
For technical details on exploitation and affected configurations, refer to the Splunk Security Advisory SVD-2026-0303.
Detection Methods for CVE-2026-20164
Indicators of Compromise
- Unusual access patterns to the /splunkd/__raw/servicesNS/-/-/configs/conf-passwords endpoint from non-administrative users
- Multiple requests to password configuration endpoints from a single low-privilege account
- Access to sensitive REST API endpoints from unexpected IP addresses or during unusual hours
- Authentication events followed by immediate access to configuration endpoints
Detection Strategies
- Monitor Splunk internal logs for REST API requests to /servicesNS/-/-/configs/conf-passwords from users without admin or power roles
- Implement alerting for any access to sensitive configuration endpoints by low-privilege accounts
- Review Splunk audit logs for abnormal patterns of configuration file access
- Deploy network monitoring to detect requests to Splunk REST API endpoints that handle credential data
Monitoring Recommendations
- Enable verbose audit logging for Splunk REST API access
- Create correlation searches to identify unauthorized access attempts to credential configuration endpoints
- Monitor for credential harvesting patterns such as sequential access to multiple configuration endpoints
- Implement user behavior analytics to detect anomalous activity from low-privilege accounts
How to Mitigate CVE-2026-20164
Immediate Actions Required
- Upgrade Splunk Enterprise to version 10.2.0, 10.0.3, 9.4.9, or 9.3.10 or later depending on your version branch
- For Splunk Cloud Platform, ensure your instance is updated to version 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, or 9.3.2411.123 or later
- Review audit logs to identify any potential past exploitation of this vulnerability
- Rotate any credentials stored in passwords.conf if unauthorized access is suspected
Patch Information
Splunk has released security patches addressing this vulnerability in the versions listed above. Refer to the Splunk Security Advisory SVD-2026-0303 for detailed patch information and upgrade instructions.
Workarounds
- Restrict network access to Splunk management interfaces to trusted IP ranges only
- Review and minimize the number of users with authenticated access to Splunk instances
- Implement additional network-level access controls in front of Splunk REST API endpoints
- Consider using a web application firewall (WAF) to restrict access to sensitive API endpoints until patching is complete
# Example: Restrict access to Splunk management port at the firewall level
# Allow only trusted administrator networks
iptables -A INPUT -p tcp --dport 8089 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8089 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
