CVE-2026-20239

Vulnerability

A missing output buffer sanitization in the TcpChannel component of Splunk Enterprise and Splunk Cloud Platform causes full I/O buffer contents to be logged at WARN level when discarding data during socket errors [1]. This results in session cookies and response bodies containing sensitive data being written to the _internal index [1]. Affected versions are Splunk Enterprise below 10.2.2 and 10.0.5, and Splunk Cloud Platform below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13 [1].

Exploitation

An attacker must be a user with a role that has access to the _internal index [1]. No network-level or authentication bypass is required beyond the existing role-based access. The attacker can trigger socket errors by causing data to be discarded, causing the TcpChannel component to log the buffer contents at WARN level [1]. The attacker then queries the _internal index to retrieve the logged sensitive data.

Impact

Successful exploitation allows an authenticated user with _internal index access to view session cookies and response bodies that contain sensitive data [1]. This can lead to session hijacking, account takeover, or disclosure of other sensitive information. The CVSSv3.1 vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating high confidentiality, integrity, and availability impact if further exploited [1].

Mitigation

Upgrade Splunk Enterprise to version 10.2.2 or 10.0.5, or apply the corresponding Splunk Cloud Platform fix versions: 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, or 10.0.2503.13 [1]. As a workaround, restrict _internal index access to administrator-level roles [1].