Splunk Enterprise Update Patches Code Execution Vulnerability

Summary

Splunk released security updates addressing multiple vulnerabilities across its products, including a high-severity remote code execution flaw (CVE-2026-20204) in Splunk Enterprise and Cloud Platform that allows low-privileged users to upload malicious files to a temporary directory. Additional high-severity vulnerability CVE-2026-20205 in MCP Server app could expose user sessions and authorization tokens. Users are advised to update to patched versions (10.2.2, 10.0.5, 9.4.10, 9.3.11 or higher), with no evidence of active exploitation reported.

Full text

Splunk has announced fixes for vulnerabilities in Splunk Enterprise, Cloud Platform, and MCP Server, as well as in third-party packages across its products. A high-severity flaw in Splunk Enterprise and Cloud Platform, tracked as CVE-2026-20204, could be exploited by low-privileged users to upload a malicious file to a temporary directory and achieve remote code execution (RCE). The bug exists because temporary files are improperly handled and are not sufficiently isolated in that directory, Splunk says. Two medium-severity issues were addressed in Splunk Enterprise and Cloud Platform. One could be exploited to create usernames containing a null byte or a non-UTF-8 percent-encoded byte, preventing their conversion to a proper format, while the other allows attackers to turn Data Model Acceleration on or off. Users should update to Splunk Enterprise versions 10.2.2, 10.0.5, 9.4.10, 9.3.11, or higher, which contain fixes for all these security defects. Splunk is patching Cloud Platform instances. On Wednesday, the company also resolved CVE-2026-20205, a high-severity vulnerability in the MCP Server app that could allow authenticated attackers to view users’ sessions and authorization tokens in clear text.Advertisement. Scroll to continue reading. “The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives,” Splunk notes. Fixes for the bug were included in the MCP Server app version 1.0.3. Additionally, the company rolled out fixes for bugs in third-party packages in Splunk Enterprise, Operator for Kubernetes Add-on, IT Service Intelligence (ITSI) app, and Universal Forwarder. Splunk makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page. Related: Cisco Patches Critical Vulnerabilities in Webex, ISE Related: Exploited Vulnerability Exposes Nginx Servers to Hacking Related: ‘By Design’ Flaw in MCP Could Enable Widespread AI Supply Chain Attacks Related: Splunk, Zoom Patch Severe Vulnerabilities Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire 100 Chrome Extensions Steal User Data, Create BackdoorMirax RAT Targeting Android Users in EuropeTwo Vulnerabilities Patched in Ivanti Neurons for ITSM Fortinet Patches Critical FortiSandbox VulnerabilitiesSAP Patches Critical ABAP VulnerabilityTriad Nexus Evades Sanctions to Fuel CybercrimeGoogle Adds Rust DNS Parser to Pixel Phones for Better SecurityOrganizations Warned of Exploited Windows, Adobe Acrobat Vulnerabilities Latest News Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking ContestNIST Prioritizes NVD Enrichment for CVEs in CISA KEV, Critical SoftwareCisco Patches Critical Vulnerabilities in Webex, ISERansomware Hits Automotive Data Expert AutovistaClaude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via CommentsSweden Blames Pro-Russian Group for Cyberattack Last Year on Its Energy InfrastructureExploited Vulnerability Exposes Nginx Servers to HackingCapsule Security Emerges From Stealth With $7 Million in Funding Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: A Step-by-Step Approach to AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveThreatModeler has appointed Kevin Gallagher as Chief Executive Officer.Thomas Bain has been appointed Chief Marketing Officer at Silent Push.The United States Department of War appointed David Vaughn as Technical Advisor for Data Infrastructure.More People On The MoveExpert Insights The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons from OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2026-20204
• cve — CVE-2026-20205

Entities