Platform
splunk
Component
splunk
Fixed in
9.3.11
9.4.10
10.0.2503.13
10.1.2507.19
10.2.2510.10
10.3.2512.6
10.4.2603.0
CVE-2026-20203 describes a vulnerability in Splunk Enterprise and Cloud Platform where a low-privileged user, lacking the admin or power roles and the accelerate_datamodel capability, can improperly control Data Model Acceleration. This could lead to unintended performance impacts or data inconsistencies. The vulnerability impacts Splunk Enterprise versions prior to 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions before 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. Patches are available in the specified versions.
CVE-2026-20203 affects Splunk Enterprise and Splunk Cloud Platform, allowing low-privileged users (without 'admin' or 'power' roles and lacking the accelerate_datamodel capability) to turn Data Model Acceleration on or off. This vulnerability stems from improper access controls. While rated as low severity (CVSS 4.3), manipulating Data Model Acceleration can impact search performance and platform efficiency. Affected versions include Splunk Enterprise below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127.
An attacker with access to Splunk, but without administrative privileges, could exploit this vulnerability to modify Data Model Acceleration configuration. This could result in an impact on search performance, platform efficiency, and potentially data availability. The likelihood of exploitation is low, as it requires access to the Splunk platform and the ability to modify application configuration. No additional authentication is required beyond existing system access.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The solution is to upgrade Splunk Enterprise to version 10.2.2 or higher, 10.0.5 or higher, 9.4.10 or higher, or 9.3.11 or higher. For Splunk Cloud Platform, upgrade to version 10.4.2603.0 or higher, 10.3.2512.6 or higher, 10.2.2510.10 or higher, 10.1.2507.19 or higher, 10.0.2503.13 or higher, or 9.3.2411.127 or higher. Additionally, review user permission configurations to ensure only users with appropriate roles and capabilities can modify Data Model Acceleration settings. Applying these updates mitigates the risk of exploitation of this vulnerability.
Actualice Splunk Enterprise a la versión 10.2.2, 10.0.5, 9.4.10, 9.3.11 o a una versión posterior de Splunk Cloud Platform (10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.19, 10.0.2503.13, 9.3.2411.127) para mitigar la vulnerabilidad. La actualización corrige el control de acceso incorrecto que permite a usuarios no administradores modificar la configuración de la aceleración de modelos de datos.
Vulnerability analysis and critical alerts directly to your inbox.
Data Model Acceleration in Splunk optimizes search performance by precalculating and storing results for common queries.
You can verify your Splunk version by accessing 'Settings' > 'Server Information' in the web interface.
Yes, Splunk has released updates that address this vulnerability. Refer to Splunk documentation for detailed instructions on applying the updates.
If you cannot upgrade immediately, review user permissions to restrict access to Data Model Acceleration configuration.
This vulnerability only affects the listed versions of Splunk Enterprise and Splunk Cloud Platform.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.