CVE-2026-20238 Splunk CVE debrief

Who should care

Splunk administrators, SOC teams, and platform owners who use Splunk AI Toolkit with custom roles and srchFilter-based access controls. Environments that rely on inherited search filters for tenant, case, or dataset separation should treat this as a data-exposure risk.

Technical summary

NVD records the issue as CVSS 3.1 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) with CWE-863. The advisory description states that Splunk AI Toolkit below 5.7.3 contains an authorize.conf srchFilter entry affecting the built-in user role. Because Splunk combines inherited search filters using OR semantics, a filter introduced at the user-role level can broaden access beyond more restrictive custom-role filters, resulting in unauthorized read access to confidential search results.

Defensive priority

Medium

Recommended defensive actions

• Upgrade Splunk AI Toolkit to version 5.7.3 or later.
• Review authorize.conf and any custom role definitions that depend on srchFilter for data restriction.
• Verify that custom roles still enforce the intended least-privilege search scope after upgrading.
• Audit logs and saved searches for unusual access to data that should have been filtered by role-based search controls.
• Test role inheritance behavior in a staging environment before and after remediation to confirm confidentiality boundaries remain intact.

Evidence notes

The supplied NVD record identifies CVE-2026-20238 as received on 2026-05-20 and lists CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N with CWE-863. The referenced Splunk advisory (SVD-2026-0502) states that Splunk AI Toolkit versions below 5.7.3 can expose confidential data when srchFilter configurations on custom roles interact with an authorize.conf entry affecting the built-in user role. The timing context in this debrief uses the CVE published date provided in the source corpus.

Official resources