CVE-2026-20204

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.2.1 Splunk Enterprise versions prior to 10.0.5 Splunk Enterprise versions prior to 9.4.10 Splunk Enterprise versions prior to 9.3.11 Splunk Cloud Platform versions prior to 10.4.2603.0 Splunk Cloud Platform versions prior to 10.3.2512.5 Splunk Cloud Platform versions prior to 10.2.2510.9 Splunk Cloud Platform versions prior to 10.1.2507.19 Splunk Cloud Platform versions prior to 10.0.2503.13 Splunk Cloud Platform versions prior to 9.3.2411.127

Description A low-privileged user without admin or power roles can achieve Remote Code Execution (RCE) by uploading a malicious file to the $SPLUNK HOME/var/run/splunk/apptemp directory. This is possible due to improper handling and insufficient isolation of temporary files within the apptemp directory.

Recommendations Update to version 10.2.1 or newer. Update to version 10.0.5 or newer. Update to version 9.4.10 or newer. Update to version 9.3.11 or newer. Update to version 10.4.2603.0 or newer. Update to version 10.3.2512.5 or newer. Update to version 10.2.2510.9 or newer. Update to version 10.1.2507.19 or newer. Update to version 10.0.2503.13 or newer. Update to version 9.3.2411.127 or newer.