Overview of the Security Updates
Splunk has released a round of security patches covering vulnerabilities in Splunk Enterprise, Splunk Cloud Platform, and the MCP Server app, in addition to bugs identified in third-party packages bundled within its products. The disclosures span a range of severity levels and affect multiple components of the Splunk ecosystem.
High-Severity RCE Bug: CVE-2026-20204
The most critical issue addressed in this update cycle is CVE-2026-20204, a high-severity vulnerability affecting both Splunk Enterprise and Splunk Cloud Platform. This flaw could be exploited by low-privileged users to upload a malicious file to a temporary directory, ultimately enabling remote code execution (RCE) on the targeted system.
According to Splunk, the root cause lies in how temporary files are handled — specifically, they are not sufficiently isolated within the designated temporary directory, creating an opportunity for abuse by attackers who have only limited access privileges. The fact that exploitation does not require elevated permissions makes this vulnerability particularly concerning for enterprise deployments.
Medium-Severity Issues in Enterprise and Cloud Platform
Two additional vulnerabilities of medium severity were also patched in Splunk Enterprise and Cloud Platform:
- Username Null Byte Injection: One flaw could be exploited to create usernames containing a null byte or a non-UTF-8 percent-encoded byte, which prevents those usernames from being properly converted to a standard format — potentially undermining authentication and user management logic.
- Data Model Acceleration Manipulation: The second medium-severity issue allows attackers to toggle Data Model Acceleration on or off, which could interfere with search performance and analytics functionality within the platform.
Recommended Update Versions
Splunk recommends that administrators update to one of the following versions of Splunk Enterprise, all of which contain fixes for the vulnerabilities described above:
- Version 10.2.2
- Version 10.0.5
- Version 9.4.10
- Version 9.3.11
- Or any higher release
For customers running Splunk Cloud Platform, the company states that it is actively patching affected instances on their behalf.
MCP Server App Vulnerability: CVE-2026-20205
Also disclosed on the same day was CVE-2026-20205, a separate high-severity vulnerability residing in Splunk's MCP Server app. This flaw could allow authenticated attackers to view other users' sessions and authorization tokens in clear text.
Splunk provided important context around the exploitability of this issue, noting:
"The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives."
While these prerequisites limit the attack surface somewhat, the exposure of session data and authorization tokens in plaintext still poses a significant risk, particularly in environments where log access is not tightly controlled. Fixes for CVE-2026-20205 were incorporated into MCP Server app version 1.0.3.
Third-Party Package Fixes
Beyond its own code, Splunk also rolled out patches for bugs in third-party packages embedded across several of its products, including:
- Splunk Enterprise
- Operator for Kubernetes Add-on
- IT Service Intelligence (ITSI) app
- Universal Forwarder
The company did not provide specific details about the nature of those third-party vulnerabilities in its advisory summaries, but their inclusion underscores the ongoing challenge of managing supply chain risk within complex enterprise software ecosystems.
No Evidence of Active Exploitation
Splunk has stated that none of the vulnerabilities disclosed in this update cycle are currently known to be exploited in the wild. Nonetheless, given the high severity of CVE-2026-20204 and its low privilege requirement for exploitation, security teams are strongly encouraged to apply the relevant patches without delay.
Further technical details and guidance are available on Splunk's official security advisories page.
Source: SecurityWeek