CVE-2026-20204
Received Received - Intake
Remote Code Execution via Temporary File Handling in Splunk

Publication date: 2026-04-15

Last updated on: 2026-04-17

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20204
EUVD
EUVD-2026-22934
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
splunk splunk 10.2.0
splunk splunk From 10.0.0 (inc) to 10.0.5 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.11 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.10 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.13 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.127 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.19 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.9 (exc)
splunk splunk_cloud_platform From 10.3.2512 (inc) to 10.3.2512.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20204 is a high-severity vulnerability affecting certain versions of Splunk Enterprise and Splunk Cloud Platform. It occurs because of improper handling and insufficient isolation of temporary files in the $SPLUNK_HOME/var/run/splunk/apptemp directory.

This flaw allows a low-privileged user, who does not have admin or power roles, to potentially perform Remote Code Execution (RCE) by uploading a malicious file to the apptemp directory.

The vulnerability specifically impacts the Splunk Web component in affected versions.

Impact Analysis

This vulnerability can have serious impacts because it allows a low-privileged user to execute arbitrary code remotely on the affected system.

Successful exploitation could lead to full compromise of the affected Splunk instance, including unauthorized access, data manipulation, or disruption of services.

Since the vulnerability affects the Splunk Web component, it could be exploited remotely over the network.

Detection Guidance

No specific detection methods or commands for identifying this vulnerability on a network or system are provided in the available information.

Mitigation Strategies

To mitigate this vulnerability, upgrade Splunk Enterprise or Splunk Cloud Platform to the fixed versions listed:

  • Splunk Enterprise versions 10.2.1, 10.0.5, 9.4.10, 9.3.11 or higher.
  • Corresponding fixed versions for Splunk Cloud Platform as detailed in the advisory.

As a workaround, disabling Splunk Web can reduce exposure since the vulnerability requires Splunk Web to be enabled. Guidance on disabling Splunk Web is available via the web.conf configuration.

Compliance Impact

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart