High

Splunk has released critical security updates addressing multiple vulnerabilities affecting Splunk Enterprise, Splunk Cloud Platform, and the Splunk AI Toolkit. The disclosed flaws, tracked as CVE-2026-20238, CVE-2026-20239, and CVE-2026-20240, could allow attackers to expose sensitive information, bypass access restrictions, or cause denial-of-service (DoS) conditions in affected environments. The vulnerabilities were publicly disclosed on May 20, 2026, prompting organizations to immediately review their Splunk deployments and apply the latest security patches.

The first issue, CVE-2026-20238, is a medium-severity vulnerability (medium) impacting Splunk AI Toolkit versions prior to 5.7.3. The flaw originates from improper access control caused by misconfigured role inheritance within the toolkit’s authorize.conf configuration file. Because Splunk merges inherited search filters using an OR operator, restrictive filters applied to custom roles can be unintentionally bypassed. This could allow low-privileged users without administrative permissions to access sensitive indexed data. Splunk resolved the issue in version 5.7.3 and advised organizations to either upgrade immediately or temporarily disable the AI Toolkit until remediation is completed.

Another major issue, CVE-2026-20239, is a high-severity vulnerability (high) affecting Splunk Enterprise and Splunk Cloud Platform. The flaw is linked to improper output sanitization in the TcpChannel component, which logs full input and output buffers during socket errors. Attackers with access to the _internal index may retrieve highly sensitive information such as session cookies, authentication tokens, and HTTP response contents from log data. Affected versions include Splunk Enterprise releases below 10.2.2 and 10.0.5, along with several vulnerable Splunk Cloud Platform branches. Splunk strongly recommends upgrading to patched versions and restricting _internal index access to trusted administrative users only.

The third vulnerability, CVE-2026-20240, is another high-severity flaw (CVSS high) affecting the Splunk Archiver application. The issue exists within the coldToFrozen.sh script due to insufficient input validation, allowing low-privileged users to supply arbitrary file paths and rename critical directories. Successful exploitation can render a Splunk instance inoperable, resulting in a denial-of-service condition and disrupting logging or archiving operations. The vulnerability impacts several Splunk Enterprise versions prior to 10.2.2, 10.0.5, 9.4.11, and 9.3.12, as well as vulnerable Splunk Cloud deployments. Splunk advises organizations to apply patches immediately or disable the Splunk Archiver app if it is not required, while also reviewing role-based permissions, restricting sensitive index access, and strengthening configuration management practices to reduce exposure to exploitation.