Critical Splunk RCE Vulnerability CVE-2023-46214 Patched
Key Takeaways A critical remote code execution (RCE) flaw, CVE-2026-20204, has been identified in Splunk Enterprise and Splunk Cloud Platform. The vulnerability, rated 7.1 CVSS, allows low-privileged...
Key Takeaways
- A critical remote code execution (RCE) flaw, CVE-2026-20204, has been identified in Splunk Enterprise and Splunk Cloud Platform.
- The vulnerability, rated 7.1 CVSS, allows low-privileged attackers to execute arbitrary code by manipulating temporary files.
- Numerous versions of Splunk Enterprise (10.2, 10.0, 9.4, 9.3 series) and Splunk Cloud Platform are affected if the Splunk Web component is active.
- Splunk has released patches, and immediate upgrades are advised for Enterprise users, while Cloud users will receive automatic updates.
A significant remote code execution (RCE) vulnerability has come to light, impacting several versions of both Splunk Enterprise and Splunk Cloud Platform. This critical flaw, identified as CVE-2026-20204, carries a CVSS score of 7.1, signaling a substantial risk to organizational networks that rely on Splunk for critical data processing and security analytics.
Splunk researcher Gabriel Nitu is credited with discovering and reporting the vulnerability. The nature of the flaw enables attackers to achieve remote code execution, a severe capability given Splunk’s role in handling sensitive log data and security metrics, which necessitates immediate attention from system administrators.
Splunk Enterprise and Cloud Vulnerability Details
The core of this security issue stems from the software’s handling of temporary files. Classified under CWE-377, the vulnerability arises from the inadequate isolation and improper management of specific files within the Splunk Web component. When an application fails to properly isolate temporary data, it creates an avenue for malicious actors to interfere with system processes.
Exploiting this particular weakness requires only standard user access. The attack chain is contingent upon the following conditions:
- An attacker must possess a low-privileged user account; no advanced administrative or power user roles are necessary.
- The attacker must upload a specially crafted, malicious file directly into the
SPLUNK_HOME/var/run/splunk/apptempdirectory. - Upon successful upload and processing of the malicious file, the attacker gains the ability to execute unauthorized code remotely on the host server.
Organizations must conduct an immediate audit of their Splunk deployments to ascertain if they are running a vulnerable version. The issue specifically affects environments where the Splunk Web component is active.
For Splunk Enterprise users, the vulnerability spans multiple release branches. This includes the 10.2 series prior to 10.2.1, the 10.0 series before 10.0.5, versions 9.4.0 through 9.4.9, and the 9.3 series up to 9.3.10.
Splunk Cloud Platform users are also exposed across several builds. Affected cloud versions include releases below 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127. Splunk has confirmed that its newer 10.4.2603 branch remains unaffected by this specific vulnerability.
What You Should Do
According to Splunk’s official security advisory (SVD-2026-0403), organizations should implement immediate protective measures to prevent unauthorized exploitation. The vendor has noted no active exploitation of this flaw in the wild, providing a crucial window for administrators to secure their systems.
Security teams should apply the following solutions to mitigate the threat:
- Upgrade all Splunk Enterprise installations to the latest secure versions, specifically 10.2.1, 10.0.5, 9.4.10, 9.3.11, or any higher release.
- For Splunk Cloud Platform instances, monitor your environment as the vendor is actively rolling out patches automatically to these deployments.
- As a temporary measure, consider disabling the Splunk Web component if immediate patching is not feasible.
- Modify the web configuration file to turn off the web interface, which effectively blocks the attack path until permanent patches can be applied.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.