{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20204", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.397Z", "datePublished": "2026-04-15T15:17:54.019Z", "dateUpdated": "2026-04-16T03:55:29.794Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "10.2", "status": "affected", "versionType": "custom", "lessThan": "10.2.1"}, {"version": "10.0", "status": "affected", "versionType": "custom", "lessThan": "10.0.5"}, {"version": "9.4", "status": "affected", "versionType": "custom", "lessThan": "9.4.10"}, {"version": "9.3", "status": "affected", "versionType": "custom", "lessThan": "9.3.11"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "10.4.2603", "status": "affected", "versionType": "custom", "lessThan": "Not Affected"}, {"version": "10.3.2512", "status": "affected", "versionType": "custom", "lessThan": "10.3.2512.5"}, {"version": "10.2.2510", "status": "affected", "versionType": "custom", "lessThan": "10.2.2510.9"}, {"version": "10.1.2507", "status": "affected", "versionType": "custom", "lessThan": "10.1.2507.19"}, {"version": "10.0.2503", "status": "affected", "versionType": "custom", "lessThan": "10.0.2503.13"}, {"version": "9.3.2411", "status": "affected", "versionType": "custom", "lessThan": "9.3.2411.127"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory."}], "value": "In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0403"}], "title": "Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise", "datePublic": "2026-04-15T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "baseScore": 7.1, "baseSeverity": "HIGH"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "Creating and using insecure temporary files can leave application and system data vulnerable to attack.", "cweId": "CWE-377"}]}], "source": {"advisory": "SVD-2026-0403"}, "credits": [{"lang": "en", "value": "Gabriel Nitu, Splunk"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-04-15T15:17:54.019Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-20204"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T03:55:29.794Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20204", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T17:45:58.566029Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T17:46:02.374Z"}}], "cna": {"title": "Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise", "source": {"advisory": "SVD-2026-0403"}, "credits": [{"lang": "en", "value": "Gabriel Nitu, Splunk"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "10.2", "lessThan": "10.2.1", "versionType": "custom"}, {"status": "affected", "version": "10.0", "lessThan": "10.0.5", "versionType": "custom"}, {"status": "affected", "version": "9.4", "lessThan": "9.4.10", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.11", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "10.4.2603", "lessThan": "Not Affected", "versionType": "custom"}, {"status": "affected", "version": "10.3.2512", "lessThan": "10.3.2512.5", "versionType": "custom"}, {"status": "affected", "version": "10.2.2510", "lessThan": "10.2.2510.9", "versionType": "custom"}, {"status": "affected", "version": "10.1.2507", "lessThan": "10.1.2507.19", "versionType": "custom"}, {"status": "affected", "version": "10.0.2503", "lessThan": "10.0.2503.13", "versionType": "custom"}, {"status": "affected", "version": "9.3.2411", "lessThan": "9.3.2411.127", "versionType": "custom"}]}], "datePublic": "2026-04-15T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0403"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-377", "description": "Creating and using insecure temporary files can leave application and system data vulnerable to attack."}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-04-15T15:17:54.019Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20204", "state": "PUBLISHED", "dateUpdated": "2026-04-16T03:55:29.794Z", "dateReserved": "2025-10-08T11:59:15.397Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2026-04-15T15:17:54.019Z", "assignerShortName": "cisco"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "9A537203-F31B-44A1-BB9E-C62F4539FA0B", "versionEndExcluding": "9.3.11", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "0205D102-93C7-42FA-A33E-E517BB7760C4", "versionEndExcluding": "9.4.10", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "D5A01879-50A5-4266-A08C-F55584F442ED", "versionEndExcluding": "10.0.5", "versionStartIncluding": "10.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:10.2.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "122C01E6-CD7E-44B3-BC65-2ACEDFE704E5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "6FCB2A3C-8069-4AAC-8746-4B9679DE8116", "versionEndExcluding": "9.3.2411.127", "versionStartIncluding": "9.3.2411", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5C098C2-9ED5-41B4-BE57-984B71027144", "versionEndExcluding": "10.0.2503.13", "versionStartIncluding": "10.0.2503", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "2490F8A7-7B04-4E40-9414-02C050DAEB10", "versionEndExcluding": "10.1.2507.19", "versionStartIncluding": "10.1.2507", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "7C32CC18-1AF2-42B7-B4BF-D0E251BD8BDC", "versionEndExcluding": "10.2.2510.9", "versionStartIncluding": "10.2.2510", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8346F9C-302C-455A-9BE3-82C7C261830B", "versionEndExcluding": "10.3.2512.5", "versionStartIncluding": "10.3.2512", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory."}], "id": "CVE-2026-20204", "lastModified": "2026-04-17T19:04:00.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "psirt@cisco.com", "type": "Primary"}]}, "published": "2026-04-15T16:16:34.490", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2026-0403"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-377"}], "source": "psirt@cisco.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.4.2603,*]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.3.2512,10.3.2512.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2.2510,10.2.2510.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.1.2507,10.1.2507.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0.2503,10.0.2503.13)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3.2411,9.3.2411.127)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Cloud Platform", "source": "cna", "vendor": "Splunk"}, "product": "splunk_cloud_platform", "vendor": "splunk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.2,10.2.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[10.0,10.0.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.4,9.4.10)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.3,9.3.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Enterprise", "source": "cna", "vendor": "Splunk"}, "product": "splunk_enterprise", "vendor": "splunk"}], "analysis": {"en": {"generated_at": "2026-04-15T22:22:22.275419+00:00", "value": {"mitigation_remediation": ["Apply the latest Splunk Enterprise or Splunk Cloud Platform patch that moves the temporary directory to a properly isolated location or removes the upload capability for non\u2011admin users, ensuring the affected versions are no longer vulnerable.", "Restrict file upload functions so only users with admin or power roles can create files in the apptemp directory, preventing low\u2011privileged users from placing malicious files.", "Isolate temporary files on a dedicated partition or mount with appropriate permissions to prevent cross\u2011user access."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Vulnerable deployments include Splunk Enterprise versions earlier than 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions earlier than 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. Any installation that matches these version ranges is at risk if low\u2011privileged users can upload files to the temporary directory.", "description_and_impact": "An attacker with a low-privileged account that lacks the admin or power Splunk roles can exploit a flaw in temporary file handling to execute arbitrary code on a vulnerable Splunk instance. The vulnerability allows the attacker to upload a malicious file to the apptemp directory under $SPLUNK_HOME/var/run/splunk, where the file is not properly segregated from other users\u2019 data. This can lead to the execution of attacker\u2011controlled code, compromising the confidentiality, integrity, and availability of the entire Splunk deployment. The weakness is related to improper isolation of temporary resources (CWE\u2011377).", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high severity vulnerability. No EPSS score is available, but the lack of a KEV listing does not diminish the potential impact. Though the attacker needs only a non\u2011admin user, the code execution capability can be abused to gain system\u2011level access or pivot within the environment. The attack vector is likely to involve the standard file upload mechanism used by Splunk, which does not enforce strict isolation of the apptemp area. If the attacker successfully uploads a crafted file, the system will process it as a legitimate application component, leading to arbitrary code execution."}}}}, "created": "2026-04-15T18:45:11.248210+00:00", "updated": "2026-04-15T22:30:16.064982+00:00", "vendors": ["splunk", "splunk$PRODUCT$splunk_cloud_platform", "splunk$PRODUCT$splunk_enterprise"]}