Splunk Discloses High-Severity RCE Vulnerability in Enterprise and Cloud Platforms
Splunk has revealed a high-severity vulnerability (CVE-2026-20204) affecting its Enterprise and Cloud Platform environments, enabling remote code execution (RCE) with a CVSS score of 7.1. The flaw, discovered by security researcher Gabriel Nitu, stems from improper handling of temporary files in the SPLUNK_HOME/var/run/splunk/apptemp directory, allowing low-privileged users without admin or power roles to upload malicious files and execute arbitrary code.
The vulnerability poses a significant risk, as even a compromised standard account could lead to full server takeover. Affected versions include:
Splunk Enterprise:
- 10.2.0
- 10.0.0–10.0.4
- 9.4.0–9.4.9
- 9.3.0–9.3.10
Splunk Cloud Platform:
- All builds below 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127
(Version 10.4.2603 remains unaffected.)
Splunk has released patches for Enterprise users (10.2.1, 10.0.5, 9.4.10, 9.3.11) and is deploying fixes for Cloud Platform instances. As a temporary workaround, administrators can disable Splunk Web via the web.conf configuration file to eliminate the attack surface. The advisory was published on April 15, 2026.
Source: https://gbhackers.com/splunk-enterprise-and-cloud-platform-rce-vulnerability/
Splunk cybersecurity rating report: https://www.rankiteo.com/company/splunk
"id": "SPL1776320620",
"linkid": "splunk",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology (Cybersecurity/Data Analytics)',
'name': 'Splunk',
'type': 'Company'}],
'attack_vector': 'Improper handling of temporary files',
'date_publicly_disclosed': '2026-04-15',
'description': 'Splunk has revealed a high-severity vulnerability '
'(CVE-2026-20204) affecting its Enterprise and Cloud Platform '
'environments, enabling remote code execution (RCE) with a '
'CVSS score of 7.1. The flaw stems from improper handling of '
'temporary files in the *SPLUNK_HOME/var/run/splunk/apptemp* '
'directory, allowing low-privileged users without admin or '
'power roles to upload malicious files and execute arbitrary '
'code. The vulnerability poses a significant risk, as even a '
'compromised standard account could lead to full server '
'takeover.',
'impact': {'operational_impact': 'Full server takeover possible',
'systems_affected': 'Splunk Enterprise and Cloud Platform '
'environments'},
'post_incident_analysis': {'corrective_actions': 'Patches released; temporary '
'workaround provided',
'root_causes': 'Improper handling of temporary '
'files in the '
'*SPLUNK_HOME/var/run/splunk/apptemp* '
'directory'},
'recommendations': 'Apply patches immediately; disable Splunk Web as a '
'temporary workaround if patches cannot be applied.',
'references': [{'date_accessed': '2026-04-15', 'source': 'Splunk Advisory'}],
'response': {'communication_strategy': 'Advisory published on April 15, 2026',
'containment_measures': 'Disable Splunk Web via the *web.conf* '
'configuration file',
'remediation_measures': 'Patches released for Enterprise users '
'(10.2.1, 10.0.5, 9.4.10, 9.3.11); fixes '
'being deployed for Cloud Platform '
'instances'},
'title': 'Splunk Discloses High-Severity RCE Vulnerability in Enterprise and '
'Cloud Platforms',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-20204'}