CVE-2026-20204: Splunk Enterprise & Cloud Platform Low-Privilege RCE via Temp File Handling

Executive Summary

A high-severity remote code execution vulnerability (CVE-2026-20204) affects multiple versions of Splunk Enterprise and Splunk Cloud Platform. The flaw carries a CVSS score of 7.1 and can be exploited by a low-privileged user — one who does not hold the admin or power Splunk roles — to execute arbitrary code remotely through improper handling of temporary files in the $SPLUNK_HOME/var/run/splunk/apptemp directory.

Splunk has released fixed versions and a workaround. Organizations using Splunk Web should treat this as a priority patch given the low privilege bar for exploitation.

Vulnerability Overview

Affected Products

Splunk Enterprise

Splunk Cloud Platform

Splunk is actively monitoring and remediating Splunk Cloud Platform instances; customers on managed cloud deployments should verify their version is updated.

Technical Analysis

Root Cause

CVE-2026-20204 stems from insufficient isolation and improper handling of temporary files in the $SPLUNK_HOME/var/run/splunk/apptemp directory, which is used by the Splunk Web component during app processing workflows. A low-privileged attacker with access to file upload workflows can place a malicious file in this directory, which is subsequently executed by the Splunk process — resulting in arbitrary code execution under the Splunk service account.

The vulnerability is classified under CWE-377 (Insecure Temporary File), a class of weaknesses where an application creates or uses temporary files in an unsafe manner, allowing attackers to substitute or inject malicious content.

Attack Requirements

The CVSS vector indicates this is not a trivial exploit:

• AC:H — High complexity; specific conditions must be met
• UI:R — User interaction is required (likely an admin action that processes the malicious file)
• PR:L — Low privileges are sufficient (no admin or power role needed)

This means an attacker with a standard Splunk account could craft an attack that triggers when a privileged user interacts with the malicious file in apptemp.

Attack Flow

1. Attacker authenticates to Splunk Web with a low-privileged account
2. Attacker uploads a malicious file via an app upload or similar workflow
   that writes to $SPLUNK_HOME/var/run/splunk/apptemp
3. Attacker waits for or triggers a privileged user interaction
   (e.g., admin reviewing/processing app submissions)
4. Splunk processes the file without adequate isolation
5. Attacker's payload executes under the Splunk service context
6. Full confidentiality, integrity, and availability impact on the instance

Why This Matters

Splunk is a cornerstone of enterprise SIEM and log management infrastructure. A successful compromise means:

Remediation

Step 1: Upgrade Splunk Enterprise

# Check current Splunk version
/opt/splunk/bin/splunk version
 
# Download and apply the appropriate upgrade
# Refer to Splunk's upgrade documentation at docs.splunk.com
 
# After upgrade, verify the version
/opt/splunk/bin/splunk version

Apply the following minimum versions:

• 10.2.x → upgrade to 10.2.1
• 10.0.x → upgrade to 10.0.5
• 9.4.x → upgrade to 9.4.10
• 9.3.x → upgrade to 9.3.11

Step 2: Workaround — Disable Splunk Web

If immediate patching is not possible, disable Splunk Web as a temporary mitigation:

# Edit $SPLUNK_HOME/etc/system/local/web.conf
[settings]
startwebserver = 0

Then restart Splunk:

/opt/splunk/bin/splunk restart

Note: Disabling Splunk Web removes the attack surface but also disables the web UI. Manage via CLI or API during this period.

Step 3: Restrict Access to App Upload Workflows

Limit which users can interact with app management functionality. Audit user roles and remove unnecessary permissions:

| rest /services/authorization/roles
| table title, capabilities, imported_capabilities
| where match(capabilities, "admin_all_objects|edit_local_apps")

Restrict edit_local_apps capability to the minimum required role set.

Step 4: Monitor the apptemp Directory

# Monitor for unexpected file writes to apptemp
inotifywait -m -r "$SPLUNK_HOME/var/run/splunk/apptemp" \
  -e create,modify,close_write \
  --format '%T %w %f %e' --timefmt '%Y-%m-%d %H:%M:%S'

Detection Guidance

Search for suspicious apptemp activity in Splunk itself:

index=_internal sourcetype=splunkd path="*apptemp*"
| stats count by user, action, path
| where count > 5

Post-Remediation Checklist

1. Upgrade Splunk Enterprise to the fixed version for your version line
2. Verify Splunk Cloud Platform instances are on patched versions
3. Audit all user accounts and remove unnecessary capabilities
4. Review apptemp directory for unexpected or suspicious files
5. Check Splunk audit logs for low-privileged app upload activity
6. Scan the Splunk host for indicators of post-exploitation (web shells, cron jobs)
7. Rotate credentials for any service accounts accessible via Splunk
8. Consider disabling Splunk Web if it is not required in your deployment
9. Enable file integrity monitoring on the apptemp directory going forward

References

• NVD — CVE-2026-20204
• Splunk Security Advisory SVD-2026-0403
• GBHackers — Splunk Enterprise and Cloud Platform Exposed to Dangerous RCE Vulnerability