Vulnerability Description
In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user that does not hold the "admin" or "power" Splunk roles could craft a malicious payload into the `realname`, `tz`, or `email` parameters of the `/splunkd/__raw/services/authentication/users/username` REST API endpoint when they change a password. This could potentially lead to a client‑side denial‑of‑service (DoS). The malicious payload might significantly slow page load times or render Splunk Web temporarily unresponsive.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Splunk | Splunk | >= 9.2.0, < 9.2.12 |
| Splunk | Splunk Cloud Platform | >= 9.3.2411, < 9.3.2411.121 |
Related Weaknesses (CWE)
References
- https://advisory.splunk.com/advisories/SVD-2026-0204Vendor Advisory
FAQ
What is CVE-2026-20139?
CVE-2026-20139 is a vulnerability with a CVSS score of 4.3 (MEDIUM). In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.8, 9.3.9, and 9.2.12, and Splunk Cloud Platform versions below 10.2.2510.3, 10.1.2507.8, 10.0.2503.9, and 9.3.2411.121, a low-privileged user th...
How severe is CVE-2026-20139?
CVE-2026-20139 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-20139?
Check the references section above for vendor advisories and patch information. Affected products include: Splunk Splunk, Splunk Splunk Cloud Platform.