Zero Day MonitorZDM

← Back to list

7.2

CVE-2026-20205EXPLOITEDPATCHED

splunk · splunk mcp server

Sensitive Information Disclosure in ''_internal'' index in Splunk MCP Server app

Description

In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information.

Affected Products

Vendor	Product	Versions
splunk	splunk mcp server	1.0

References

https://advisory.splunk.com/advisories/SVD-2026-0407

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-20205 | Splunk MCP Server App up to 1.0.2 mcp_tool_admin log file (SVD-2026-0407)

→ No new info (linked only)

CVSS 3.17.2 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

1.0.3

CWECWE-532

PublishedApr 15, 2026

Last enriched5h agov2

Trending Score51

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-20204EXP

Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise

MEDIUMCVE-2026-20202EXP

Improper Input Validation during User Account Creation in Splunk Enterprise

MEDIUMCVE-2026-20203EXP

Improper Access Control in Data Model Acceleration in Splunk Enterprise

Multiple vulnerabilities in Splunk products

MEDIUMCVE-2026-20144

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Sear

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 15, 2026

Discovered by ZDM

Apr 15, 2026

Updated: affectedVersions, severity, activelyExploited

Apr 15, 2026

Actively Exploited

Apr 15, 2026

Patch Available

Apr 15, 2026

Version History

v2

Last enriched 5h ago

v2Tier C5h ago

Updated affected versions to include 1.0.2, changed severity to MEDIUM, marked as actively exploited, and noted no patch available.

affectedVersionsseverityactivelyExploited

via VulDB

v17h ago

Initial creation