CVE-2026-20202

MEDIUM 6.6

Improper Input Validation during User Account Creation in Splunk Enterprise

CVSS Score

6.6

EPSS Score

0.0%

EPSS Percentile

0th

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.

CWE	CWE-176
Vendor	splunk
Product	splunk enterprise
Published	Apr 15, 2026
Last Updated	Apr 16, 2026

Stay Ahead of the Next One

Get instant alerts for splunk splunk enterprise

Be the first to know when new medium vulnerabilities affecting splunk splunk enterprise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

Splunk / Splunk Enterprise

10.2 < 10.2.2 10.0 < 10.0.5 9.4 < 9.4.10 9.3 < 9.3.11

Splunk / Splunk Cloud Platform

10.4.2603 < Not Affected 10.3.2512 < 10.3.2512.6 10.2.2510 < 10.2.2510.10 10.1.2507 < 10.1.2507.20 10.0.2503 < 10.0.2503.13 9.3.2411 < 9.3.2411.127

References

NVD ↗ CVE.org ↗ EPSS Data ↗

advisory.splunk.com: https://advisory.splunk.com/advisories/SVD-2026-0401

Credits

Ryan Luke<br><br>Mahfujur Rahman (mahfujwhh)