Splunk Enterprise <10.2.0 & <10.0.2 DoS via /services/auth/users API
CVE-2026-20139 Published on February 18, 2026

Client-Side Denial of Service (DoS) through ''/splunkd/__raw/services/authentication/users/username'' REST API endpoint in Splunk Enterprise
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a clientside denialofservice (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.

NVD

Weakness Type

What is a Resource Exhaustion Vulnerability?

The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CVE-2026-20139 has been classified to as a Resource Exhaustion vulnerability or weakness.

Products Associated with CVE-2026-20139

stack.watch emails you whenever new vulnerabilities are published in Splunk or Splunk Cloud Platform. Just hit a watch button to start following.

Splunk

Splunk Cloud Platform

Affected Versions

Splunk Enterprise:

Version 10.0 and below 10.0.2 is affected.
Version 9.4 and below 9.4.8 is affected.
Version 9.3 and below 9.3.9 is affected.
Version 9.2 and below 9.2.12 is affected.

Splunk Cloud Platform:

Version 10.2.2510 and below 10.2.2510.3 is affected.
Version 10.1.2507 and below 10.1.2507.8 is affected.
Version 10.0.2503 and below 10.0.2503.9 is affected.
Version 9.3.2411 and below 9.3.2411.121 is affected.

Exploit Probability

EPSS

0.05%

Percentile

15.07%