CVE-2026-20204
Published: 15 April 2026
Summary
CVE-2026-20204 is a high-severity Insecure Temporary File (CWE-377) vulnerability in Splunk Splunk Cloud Platform. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the RCE vulnerability arising from improper temporary file handling by applying vendor patches to affected Splunk versions.
Enforces least privilege to prevent low-privileged users from uploading malicious files to the insufficiently isolated $SPLUNK_HOME/var/run/splunk/apptemp directory.
Mandates secure configuration settings for temporary directories to ensure proper isolation and access restrictions, mitigating exploitation via insecure temporary files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via exploitation of insecure temp file handling in network-accessible Splunk web application.
NVD Description
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a…
more
Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.
Deeper analysisAI
CVE-2026-20204 is a remote code execution (RCE) vulnerability affecting Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, as well as Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. The flaw arises from improper handling and insufficient isolation of temporary files within the $SPLUNK_HOME/var/run/splunk/apptemp directory, classified under CWE-377 (Insecure Temporary File). It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-15.
A low-privileged Splunk user lacking admin or power roles can exploit this vulnerability remotely by uploading a malicious file to the apptemp directory. Successful exploitation enables arbitrary code execution on the affected system, with high impacts on confidentiality, integrity, and availability. The attack requires network access, high complexity, low privileges, and user interaction.
The Splunk advisory at https://advisory.splunk.com/advisories/SVD-2026-0403 provides details on mitigation, including upgrades to the fixed versions listed above.
Details
- CWE(s)