CVE-2026-20140 – Splunk Enterprise Security Update
“A low-level Windows user could leverage a DLL loading weakness to gain full SYSTEM control of a Splunk server.”
CVE-2026-20140 is a high-severity local privilege escalation vulnerability (CVSS 7.7) affecting Splunk Enterprise for Windows. The issue is caused by a DLL search-order hijacking weakness in affected versions of the software.
A local, low-privileged Windows user with the ability to create directories and write files on the system drive could place a malicious DLL in a location loaded by Splunk during service startup. When the Splunk service restarts, it may load the attacker-controlled DLL. Because the service runs with SYSTEM-level privileges, the malicious code executes with full administrative control.
Successful exploitation could allow attackers to take over the host system, disable logging or security controls, manipulate indexed data, or pivot deeper into the network. While the vulnerability requires local access, the impact is significant in shared or multi-user environments.
Splunk addressed this issue in updated releases of Splunk Enterprise for Windows.