Splunk Enterprise and Cloud flaw can lead to remote code execution in Splunk Web

Splunk has disclosed a high-severity vulnerability in Splunk Enterprise and Splunk Cloud Platform that can let a low-privileged user achieve remote code execution in affected environments. The flaw, tracked as CVE-2026-20204, carries a CVSS 3.1 score of 7.1 and affects systems with Splunk Web enabled.

The issue is not an unauthenticated internet bug. Splunk says an attacker must already have a low-privileged account and must not hold the admin or power roles. From there, the attacker can upload a malicious file into the $SPLUNK_HOME/var/run/splunk/apptemp directory and potentially trigger remote code execution because of improper handling and insufficient isolation of temporary files.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

That still makes the bug serious. Splunk often sits in the middle of logging, monitoring, and security operations, so code execution inside Splunk Web can create a high-value pivot point for attackers who already gained an initial foothold. This last point is an inference based on Splunk’s role in enterprise environments and the vendor’s own high-severity rating.

What causes CVE-2026-20204

Splunk classifies the flaw as CWE-377, which covers insecure temporary file handling. In the vendor advisory, Splunk says the problem comes from improper handling and insufficient isolation of specific temporary files within the apptemp directory used by Splunk Web.

The attack path is narrow but clear. A low-privileged user uploads a malicious file into the temporary application directory, and the vulnerable Splunk Web component can then process it in a way that opens the door to code execution on the host.

The CVSS vector also shows why the score lands at 7.1 instead of critical territory. Splunk rates the flaw as network-accessible, but it also requires low privileges, high attack complexity, and user interaction.

Affected versions and fixed releases

Splunk says the following Enterprise branches are affected:

Splunk also says these Splunk Cloud Platform builds are affected, while 10.4.2603.0 is not affected: below 10.3.2512.5, below 10.2.2510.9, below 10.1.2507.19, below 10.0.2503.13, and below 9.3.2411.127.

Mitigation and current exploitation status

Splunk says it has no detections for active exploitation at the time of the advisory. That gives defenders a patch window, but not a reason to delay, especially in environments where many users have access to Splunk.

For Enterprise customers, the vendor’s fix is straightforward: upgrade to 10.2.1, 10.0.5, 9.4.10, 9.3.11, or later. For Splunk Cloud Platform, Splunk says it is actively monitoring and patching cloud instances.

Splunk also lists a temporary workaround. Because the flaw affects instances with Splunk Web turned on, disabling Splunk Web can block the exposed attack path until permanent patching is complete.

What admins should do now

• Identify whether Splunk Web is enabled in your Enterprise or Cloud deployment.
• Patch Splunk Enterprise to the fixed release for your branch.
• Confirm your Splunk Cloud Platform build is at or above the fixed version listed by Splunk.
• Disable Splunk Web as a workaround if you cannot patch immediately.
• Review access for low-privileged user accounts, because this flaw requires an authenticated user without admin or power roles.

FAQ