Introduction
A low privileged user on a Splunk deployment can achieve remote code execution by uploading a malicious file to a temporary directory, and this is the second time in roughly a year that this exact attack surface has been disclosed. CVE-2026-20204 affects both Splunk Enterprise and Splunk Cloud Platform, carrying a CVSS score of 7.1, and its resemblance to CVE-2025-20229 from March 2025 makes it particularly noteworthy for defenders who thought this issue was already resolved.
Technical Information
The vulnerability is rooted in how Splunk handles temporary files within the $SPLUNK_HOME/var/run/splunk/apptemp directory. This directory is used during application management operations, and the flaw is classified under CWE-377: Insecure Temporary File.
The core problem is twofold: improper handling and insufficient isolation of temporary files within the apptemp directory. Splunk fails to adequately restrict which users can write files to this location and does not properly validate or sandbox the contents of uploaded files. As a result, a user holding only a low privilege Splunk role (anything below admin or power) can place a malicious file into this directory.
Attack Flow
The exploitation path is straightforward, which adds to the risk profile:
- The attacker authenticates to the Splunk instance with any valid low privilege account. No
adminorpowerrole is required. - The attacker crafts a malicious file designed for code execution within the Splunk runtime environment.
- The attacker uploads this file to the
$SPLUNK_HOME/var/run/splunk/apptempdirectory, exploiting the insufficient access controls and file isolation on this path. - Due to the improper handling of temporary files, the uploaded payload is processed or executed by Splunk, granting the attacker remote code execution on the underlying system.
Preconditions
A critical precondition for exploitation is that Splunk Web must be turned on. The web interface provides the attack surface through which the file upload is performed. If Splunk Web is disabled, this particular vector is not reachable.
Workaround
For organizations that cannot immediately upgrade, Splunk recommends turning off Splunk Web as a temporary mitigation. Administrators should consult Splunk's documentation on disabling unnecessary components to implement this change.
For permanent remediation, upgrading to the fixed versions listed below is required.
Affected Systems and Versions
Splunk Enterprise
All versions below the following are vulnerable:
| Release Train | Fixed Version |
|---|---|
| 10.2.x | 10.2.1 |
| 10.0.x | 10.0.5 |
| 9.4.x | 9.4.10 |
| 9.3.x | 9.3.11 |
Splunk Cloud Platform
All versions below the following are vulnerable:
| Release Train | Fixed Version |
|---|---|
| 10.4.x | 10.4.2603.0 |
| 10.3.x | 10.3.2512.5 |
| 10.2.x | 10.2.2510.9 |
| 10.1.x | 10.1.2507.19 |
| 10.0.x | 10.0.2503.13 |
| 9.3.x | 9.3.2411.127 |
The vulnerability is only exploitable when Splunk Web is enabled. Deployments with the web interface disabled are not affected by this specific attack vector.
Vendor Security History
This vulnerability is not an isolated incident. In March 2025, Splunk disclosed SVD-2025-0301, tracked as CVE-2025-20229. That vulnerability allowed a low privileged user without admin or power roles to perform remote code execution through a file upload to the exact same $SPLUNK_HOME/var/run/splunk/apptemp directory.
The attack vector, the privilege requirements, and the target directory are all identical between the 2025 and 2026 variants. This recurrence strongly suggests that the original fix for CVE-2025-20229 was either incomplete or that the underlying architectural issue in how Splunk manages the apptemp directory was not fully addressed.
Splunk, now operating under Cisco following the completed acquisition in March 2024, was named a Leader in the 2025 Gartner Magic Quadrant for SIEM for the eleventh consecutive time. The vendor has substantial resources and market credibility, which makes the recurrence of this specific vulnerability class worth monitoring closely.
References
- SVD-2026-0403: Splunk Vulnerability Disclosure (Official Advisory)
- SVD-2025-0301: Prior Splunk Vulnerability Disclosure for CVE-2025-20229
- CVE-2025-20229 Detail at NVD
- Splunk Documentation: Disable Unnecessary Splunk Enterprise Components
- Cisco Completes Acquisition of Splunk
- Cisco and Splunk Acquisition Overview
- Splunk Named Leader in 2025 Gartner SIEM Report
- Splunk Analyst Recognition (Cisco Investor Relations)
