Zero Day MonitorZDM

← Back to list

7.1

CVE-2026-20204EXPLOITEDPATCHED

splunk · splunk enterpri

Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise

Description

In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.

Affected Products

Vendor	Product	Versions
splunk	splunk enterpri	10.2, 10.0, 9.4, 9.3, 10.4.2603, 10.3.2512, 10.2.2510, 10.1.2507, 10.0.2503, 9.3.2411

References

https://advisory.splunk.com/advisories/SVD-2026-0403

Related News (1 articles)

Tier C

VulDB6h ago

CVE-2026-20204 | Splunk Enterprise/Cloud Platform File apptemp temp file (SVD-2026-0403)

→ No new info (linked only)

CVSS 3.17.1 HIGH

VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

10.2.110.0.59.4.109.3.11Not Affected10.3.2512.510.2.2510.910.1.2507.1910.0.2503.139.3.2411.127

CWECWE-377

PublishedApr 15, 2026

Last enriched6h agov2

Trending Score50

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-20205EXP

Sensitive Information Disclosure in ''_internal'' index in Splunk MCP Server app

MEDIUMCVE-2026-20202EXP

Improper Input Validation during User Account Creation in Splunk Enterprise

MEDIUMCVE-2026-20203EXP

Improper Access Control in Data Model Acceleration in Splunk Enterprise

Multiple vulnerabilities in Splunk products

MEDIUMCVE-2026-20144

In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.8, and 9.2.11, and Splunk Cloud Platform versions below 10.2.2510.0, 10.1.2507.11, 10.0.2503.9, and 9.3.2411.120, a user of a Splunk Sear

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 15, 2026

Discovered by ZDM

Apr 15, 2026

Updated: description, severity, activelyExploited

Apr 15, 2026

Actively Exploited

Apr 15, 2026

Patch Available

Apr 15, 2026

Version History

v2

Last enriched 6h ago

v2Tier C6h ago

Updated severity to CRITICAL, corrected exploit availability to false, and provided a new description with additional details.

descriptionseverityactivelyExploited

via VulDB

v17h ago

Initial creation