Cyber Resilience

CVE-2026-20204

High

Published: 15 April 2026

Published
15 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20204 is a high-severity Insecure Temporary File (CWE-377) vulnerability in Splunk Splunk Cloud Platform. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-20204 is a remote code execution (RCE) vulnerability affecting Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, as well as Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. The flaw arises from improper handling and insufficient isolation of temporary files within the $SPLUNK_HOME/var/run/splunk/apptemp directory, classified under CWE-377 (Insecure Temporary File). It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-15.

A low-privileged Splunk user lacking admin or power roles can exploit this vulnerability remotely by uploading a malicious file to the apptemp directory. Successful exploitation enables arbitrary code execution on the affected system, with high impacts on confidentiality, integrity, and availability. The attack requires network access, high complexity, low privileges, and user interaction.

The Splunk advisory at https://advisory.splunk.com/advisories/SVD-2026-0403 provides details on mitigation, including upgrades to the fixed versions listed above.

EU & UK References

Vulnerability details

In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a…

more

Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via exploitation of insecure temp file handling in network-accessible Splunk web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-20229Same product: Splunk Splunk
CVE-2026-20163Same product: Splunk Splunk
CVE-2026-20239Same product: Splunk Splunk
CVE-2025-20231Same product: Splunk Splunk
CVE-2026-49134Shared CWE-377
CVE-2026-20649Shared CWE-377
CVE-2025-67223Shared CWE-377
CVE-2026-49135Shared CWE-377
CVE-2014-0160Same product: Splunk Splunk

Affected Assets

splunk
splunk
10.2.0 · 9.3.0 — 9.3.11 · 9.4.0 — 9.4.10 · 10.0.0 — 10.0.5
splunk
splunk cloud platform
9.3.2411 — 9.3.2411.127 · 10.0.2503 — 10.0.2503.13 · 10.1.2507 — 10.1.2507.19

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the RCE vulnerability arising from improper temporary file handling by applying vendor patches to affected Splunk versions.

prevent

Enforces least privilege to prevent low-privileged users from uploading malicious files to the insufficiently isolated $SPLUNK_HOME/var/run/splunk/apptemp directory.

prevent

Mandates secure configuration settings for temporary directories to ensure proper isolation and access restrictions, mitigating exploitation via insecure temporary files.

References