Splunk Enterprise Update Patches Code Execution Vulnerability

Splunk has announced fixes for vulnerabilities in Splunk Enterprise, Cloud Platform, and MCP Server, as well as in third-party packages across its products.

A high-severity flaw in Splunk Enterprise and Cloud Platform, tracked as CVE-2026-20204, could be exploited by low-privileged users to upload a malicious file to a temporary directory and achieve remote code execution (RCE).

The bug exists because temporary files are improperly handled and are not sufficiently isolated in that directory, Splunk says.

Two medium-severity issues were addressed in Splunk Enterprise and Cloud Platform. One could be exploited to create usernames containing a null byte or a non-UTF-8 percent-encoded byte, preventing their conversion to a proper format, while the other allows attackers to turn Data Model Acceleration on or off.

Users should update to Splunk Enterprise versions 10.2.2, 10.0.5, 9.4.10, 9.3.11, or higher, which contain fixes for all these security defects. Splunk is patching Cloud Platform instances.

On Wednesday, the company also resolved CVE-2026-20205, a high-severity vulnerability in the MCP Server app that could allow authenticated attackers to view users’ sessions and authorization tokens in clear text.

Advertisement. Scroll to continue reading.

“The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives,” Splunk notes. Fixes for the bug were included in the MCP Server app version 1.0.3.

Additionally, the company rolled out fixes for bugs in third-party packages in Splunk Enterprise, Operator for Kubernetes Add-on, IT Service Intelligence (ITSI) app, and Universal Forwarder.

Splunk makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page.

Originally published by SecurityWeek

Full Analysis