CVE-2026-20238 | THREATINT

Description

In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.<br><br>The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles.

PUBLISHED Reserved 2025-10-08 | Published 2026-05-20 | Updated 2026-05-20 | Assigner cisco

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

Product status

5.7 (custom) before 5.7.3

affected

Credits

Martin Muller, Splunk

References

advisory.splunk.com/advisories/SVD-2026-0502

cve.org (CVE-2026-20238)

nvd.nist.gov (CVE-2026-20238)

Download JSON