CVE-2026-20238
published 2026-05-20CVE-2026-20238: In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was…
PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.32%
23.7th percentile
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | ai_toolkit | >= 5.7.0 < 5.7.3 | 5.7.3 |
| splunk | splunk_ai_toolkit | >= 5.7 < 5.7.3 | 5.7.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7rq8-f887-2r5g: In Splunk AI Toolkit versions below 5
ghsa_unreviewed·2026-05-20
CVE-2026-20238 [MEDIUM] CWE-863 GHSA-7rq8-f887-2r5g: In Splunk AI Toolkit versions below 5
In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through `srchFilter` configurations on custom roles.The app contains an `authorize.conf` configuration file with a `srchFilter` entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the `OR` SPL operator, the injected filter overrides more restrictive filters on child roles.
VulDB
Splunk AI Toolkit up to 5.7.2 Configuration File authorize.conf authorization (SVD-2026-0502)
vuldb·2026-05-20·CVSS 6.5
CVE-2026-20238 [MEDIUM] Splunk AI Toolkit up to 5.7.2 Configuration File authorize.conf authorization (SVD-2026-0502)
A vulnerability, which was classified as problematic, was found in Splunk AI Toolkit up to 5.7.2. This impacts an unknown function of the file authorize.conf of the component Configuration File Handler. Executing a manipulation can lead to incorrect authorization.
This vulnerability is tracked as CVE-2026-20238. The attack can be launched remotely. No exploit exists.
You should upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-20
Published