Splunk AI Toolkit <5.7.3 SRCHFILTER PrivEsc via authorize.conf
CVE-2026-20238 Published on May 20, 2026
Improper Access Control through Role Inheritance in Splunk AI Toolkit app
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in user role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles.
Weakness Type
What is an AuthZ Vulnerability?
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.
CVE-2026-20238 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-20238
Want to know whenever a new CVE is published for Splunk? stack.watch will email you.
Affected Versions
Splunk AI Toolkit:- Version 5.7 and below 5.7.3 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.