Splunk Patches High-Severity Bugs Granting DoS and Internal Log Leaks

Splunk has issued a coordinated batch of security advisories targeting vulnerabilities across Splunk Enterprise, Splunk Cloud Platform, and its specialized AI Toolkit. The three newly patched bugs range from improper validation flaws that trigger localized Denial of Service (DoS) conditions to sensitive memory exposures and access control overrides.

Security teams are strongly urged to audit their deployments and apply the necessary version updates to secure their data analytics pipelines.

The first high-exposure flaw, tracked as CVE-2026-20240, involves a severe lack of input validation nested inside the platform’s data archiving infrastructure.

Specifically, a low-privileged user lacking administrative or power user roles can manipulate the coldToFrozen.sh script within the splunk_archiver application. Because the script blindly accepts arbitrary file path inputs without verifying their target directories, a malicious actor can trigger the utility to rename critical Splunk system directories. This action instantly breaks database mappings and leaves the entire server instance non-functional, causing a complete Denial of Service.

• Upgrade Splunk Enterprise to versions 10.2.2, 10.0.5, 9.4.11, or 9.3.12 or higher. If patching cannot be handled immediately, administrators can disable the Splunk Archiver application as a temporary workaround.

The second flaw, tracked as CVE-2026-20239, exposes data directly from the network transmission plane.

A logic vulnerability within the platform’s TcpChannel component causes the system to dump full, unparsed I/O buffer contents at the WARN log level whenever a socket error discards active communication data. Because these raw buffers are directed straight into the _internal log index without any output sanitization, users possessing basic access to internal telemetry can view active session cookies and cleartext HTTP response bodies.

• Upgrade to Splunk Enterprise versions 10.2.2 or 10.0.5. Organizations should proactively review role configurations and restrict _internal index access strictly to administrator accounts.

The final advisory addresses a flaw, tracked as CVE-2026-20238, embedded inside the Splunk AI Toolkit application.

The application’s default authorize.conf file ships with a search filter (srchFilter) that accidentally modifies the platform’s built-in user role. Because the Splunk platform naturally processes inherited search filters utilizing the logical OR Search Processing Language (SPL) operator, this injected line inadvertently overrides and deletes more restrictive, custom filters established on child roles. As a result, low-privileged users can bypass explicit access controls to view confidential corporate datasets.

• Upgrade the Splunk AI Toolkit to version 5.7.3 or higher. Alternatively, administrators can disable the application or manually wipe the srchFilter line from the local configuration files.