CVE-2026-20238 PUBLISHED

Improper Access Control through Role Inheritance in Splunk AI Toolkit app

Assigner: cisco
Reserved: 08.10.2025 Published: 20.05.2026 Updated: 20.05.2026

In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data that was restricted through srchFilter configurations on custom roles.<br><br>The app contains an authorize.conf configuration file with a srchFilter entry that modifies the built-in ‘user’ role. Because the Splunk platform combines inherited search filters with the OR SPL operator, the injected filter overrides more restrictive filters on child roles.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Splunk
Product	Splunk AI Toolkit
Versions	affected from 5.7 to 5.7.3 (excl.)

Credits

Martin Muller, Splunk

References

https://advisory.splunk.com/advisories/SVD-2026-0502

Problem Types

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions. cwe