Splunk Enterprise <10.2.0 & <10.0.3 leaks passwords via conf-passwords API
CVE-2026-20164 Published on March 11, 2026
Sensitive Information Disclosure through Improper Access Control in Splunk Enterprise
In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the "admin" or "power" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials.
Weakness Type
What is an Information Disclosure Vulnerability?
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CVE-2026-20164 has been classified to as an Information Disclosure vulnerability or weakness.
Products Associated with CVE-2026-20164
stack.watch emails you whenever new vulnerabilities are published in Splunk or Splunk Cloud Platform. Just hit a watch button to start following.
Affected Versions
Splunk Enterprise:- Version 10.0 and below 10.0.3 is affected.
- Version 9.4 and below 9.4.9 is affected.
- Version 9.3 and below 9.3.10 is affected.
- Version 10.2.2510 and below 10.2.2510.5 is affected.
- Version 10.1.2507 and below 10.1.2507.16 is affected.
- Version 10.0.2503 and below 10.0.2503.11 is affected.
- Version 9.3.2411 and below 9.3.2411.123 is affected.