CVE-2026-20204
Received Received - Intake
Remote Code Execution via Temporary File Handling in Splunk

Publication date: 2026-04-15

Last updated on: 2026-04-17

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-17
Generated
2026-05-07
AI Q&A
2026-04-15
EPSS Evaluated
2026-05-05
NVD
CVE-2026-20204
EUVD
EUVD-2026-22934
Affected Vendors & Products
Showing 9 associated CPEs
Vendor Product Version / Range
splunk splunk 10.2.0
splunk splunk From 10.0.0 (inc) to 10.0.5 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.11 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.10 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.13 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.127 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.19 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.9 (exc)
splunk splunk_cloud_platform From 10.3.2512 (inc) to 10.3.2512.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-377 Creating and using insecure temporary files can leave application and system data vulnerable to attack.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-20204 is a high-severity vulnerability affecting certain versions of Splunk Enterprise and Splunk Cloud Platform. It occurs because of improper handling and insufficient isolation of temporary files in the $SPLUNK_HOME/var/run/splunk/apptemp directory.

This flaw allows a low-privileged user, who does not have admin or power roles, to potentially perform Remote Code Execution (RCE) by uploading a malicious file to the apptemp directory.

The vulnerability specifically impacts the Splunk Web component in affected versions.


How can this vulnerability impact me? :

This vulnerability can have serious impacts because it allows a low-privileged user to execute arbitrary code remotely on the affected system.

Successful exploitation could lead to full compromise of the affected Splunk instance, including unauthorized access, data manipulation, or disruption of services.

Since the vulnerability affects the Splunk Web component, it could be exploited remotely over the network.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

No specific detection methods or commands for identifying this vulnerability on a network or system are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Splunk Enterprise or Splunk Cloud Platform to the fixed versions listed:

  • Splunk Enterprise versions 10.2.1, 10.0.5, 9.4.10, 9.3.11 or higher.
  • Corresponding fixed versions for Splunk Cloud Platform as detailed in the advisory.

As a workaround, disabling Splunk Web can reduce exposure since the vulnerability requires Splunk Web to be enabled. Guidance on disabling Splunk Web is available via the web.conf configuration.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart