CVE-2026-20204 PUBLISHED

Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise

Assigner: cisco
Reserved: 08.10.2025 Published: 15.04.2026 Updated: 15.04.2026

In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the admin or power Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the $SPLUNK_HOME/var/run/splunk/apptemp directory due to improper handling and insufficient isolation of temporary files within the apptemp directory.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVSS Score: 7.1

Product Status

Vendor Splunk
Product Splunk Enterprise
Versions
  • affected from 10.2 to 10.2.1 (excl.)
  • affected from 10.0 to 10.0.5 (excl.)
  • affected from 9.4 to 9.4.10 (excl.)
  • affected from 9.3 to 9.3.11 (excl.)
Vendor Splunk
Product Splunk Cloud Platform
Versions
  • affected from 10.4.2603 to Not Affected (excl.)
  • affected from 10.3.2512 to 10.3.2512.5 (excl.)
  • affected from 10.2.2510 to 10.2.2510.9 (excl.)
  • affected from 10.1.2507 to 10.1.2507.19 (excl.)
  • affected from 10.0.2503 to 10.0.2503.13 (excl.)
  • affected from 9.3.2411 to 9.3.2411.127 (excl.)

Credits

  • Gabriel Nitu, Splunk

References

Problem Types

  • Creating and using insecure temporary files can leave application and system data vulnerable to attack. cwe