CVE-2026-20238

# SPL (Search Processing Language) Proof of Concept # Context: A low-privileged user runs this search. # Expected: Blocked by role's srchFilter. # Actual: Allowed due to OR logic with parent role modified by Splunk AI Toolkit. index=restricted_data sourcetype=confidential_logs

{"cve": {"id": "CVE-2026-20238", "sourceIdentifier": "[email protected]", "published": "2026-05-20T18:16:26.393", "lastModified": "2026-05-20T18:16:26.393", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0502", "source": "[email protected]"}]}}