Splunk RCE: Low-Privilege Users Could Gain Remote Code Execution

/HIGH
SCW vulnerabilitycvehigh-severityremote-code-executioncwe-377
Splunk RCE: Low-Privilege Users Could Gain Remote Code Execution

The National Vulnerability Database (NVD) has detailed a critical Remote Code Execution (RCE) vulnerability, CVE-2026-20204, affecting multiple versions of Splunk Enterprise and Splunk Cloud Platform. This flaw, rated with a CVSS score of 7.1 (HIGH), allows a low-privileged user – specifically, one without admin or power roles – to execute arbitrary code remotely.

According to the NVD, the vector involves uploading a malicious file to the $SPLUNK_HOME/var/run/splunk/apptemp directory. The root cause is identified as improper handling and insufficient isolation of temporary files within this apptemp directory (CWE-377). This means even basic users could potentially weaponize the system, turning a seemingly benign file upload into a full-blown RCE.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1068 Exploitation for Privilege Escalation Privilege Escalation T1505.003 Server Software Component: Exploit Initial Access

🛡️ Detection Rules

7 rules · 6 SIEM formats

7 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-20204

✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

7 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2026-20204 RCE Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, 9.3.11
CVE-2026-20204 RCE Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, 9.3.2411.127
CVE-2026-20204 RCE Vulnerable component: improper handling and insufficient isolation of temporary files within the `apptemp` directory
CVE-2026-20204 RCE Attack vector: uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory

By Shimi's Cyber World Editorial

Related Posts

Velociraptor Vulnerability Exposes Multi-Org Data

CVE-2026-6290 — Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL...

vulnerabilityCVEhigh-severitycwe-863
/HIGH /⚑ 3 IOCs

CVE-2026-33214 — Weblate is a web based localization tool. In versions prior

CVE-2026-33214 — Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't...

vulnerabilityCVEcwe-862
/MEDIUM /⚑ 2 IOCs

Git for Windows NTLM Hash Leak Poses Credential Risk

CVE-2026-32631 — Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a...

vulnerabilityCVEhigh-severitycwe-200
/HIGH /⚑ 2 IOCs