CVE-2026-20202
published 2026-04-15CVE-2026-20202: In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10…
PriorityP339medium6.6CVSS 3.1
AVNACHPRHUINSUCHIHAH
EPSS
0.25%
15.7th percentile
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | >= 10.0.0 < 10.0.5 | 10.0.5 |
| splunk | splunk | >= 10.2.0 < 10.2.2 | 10.2.2 |
| splunk | splunk | >= 9.3.0 < 9.3.11 | 9.3.11 |
| splunk | splunk | >= 9.4.0 < 9.4.10 | 9.4.10 |
| splunk | splunk_cloud_platform | >= 10.0.2503 < 10.0.2503.13 | 10.0.2503.13 |
| splunk | splunk_cloud_platform | >= 10.1.2507 < 10.1.2507.20 | 10.1.2507.20 |
| splunk | splunk_cloud_platform | >= 10.2.2510 < 10.2.2510.10 | 10.2.2510.10 |
| splunk | splunk_cloud_platform | >= 10.3.2512 < 10.3.2512.6 | 10.3.2512.6 |
| splunk | splunk_cloud_platform | >= 10.4.2603 < Not Affected | Not Affected |
| splunk | splunk_cloud_platform | >= 9.3.2411 < 9.3.2411.127 | 9.3.2411.127 |
| splunk | splunk_enterprise | >= 10.0 < 10.0.5 | 10.0.5 |
| splunk | splunk_enterprise | >= 10.2 < 10.2.2 | 10.2.2 |
| splunk | splunk_enterprise | >= 9.3 < 9.3.11 | 9.3.11 |
| splunk | splunk_enterprise | >= 9.4 < 9.4.10 | 9.4.10 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Splunk Enterprise/Cloud Platform Username edit_user unicode encoding (SVD-2026-0401)
vuldb·2026-04-15·CVSS 6.6
CVE-2026-20202 [MEDIUM] Splunk Enterprise/Cloud Platform Username edit_user unicode encoding (SVD-2026-0401)
A vulnerability has been found in Splunk Enterprise and Cloud Platform and classified as critical. Affected by this vulnerability is the function edit_user of the component Username Handler. The manipulation leads to improper handling of unicode encoding.
This vulnerability is documented as CVE-2026-20202. The attack can be initiated remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
GHSA-p3vg-7hj9-6f24: In Splunk Enterprise versions below 10
ghsa_unreviewed·2026-04-15
CVE-2026-20202 [MEDIUM] CWE-176 GHSA-p3vg-7hj9-6f24: In Splunk Enterprise versions below 10
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-15
Published