Splunk Issues Urgent Fixes for RCE and Clear-Text Token Leaks

Splunk has released a series of security advisories detailing two significant vulnerabilities impacting Splunk Enterprise, Splunk Cloud Platform, and the Splunk MCP Server app. These flaws could allow low-privileged users to achieve remote code execution (RCE) or expose sensitive session tokens in clear text, posing a serious risk to the integrity of data analytics environments.

The most severe issue involves a breakdown in how Splunk manages its temporary file space. Tracked as CVE-2026-20204, the vulnerability affects Splunk Enterprise versions earlier than 10.2.1 and several versions of the Splunk Cloud Platform.

According to the advisory, “a low-privileged user that does not hold the admin or power Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the $SPLUNK_HOME/var/run/splunk/apptemp directory”. This exploit is possible “due to improper handling and insufficient isolation of temporary files within the apptemp directory”. By landing a malicious file in this specific directory, an attacker could transition from a basic user to executing arbitrary commands on the host server.

Splunk notes that this vulnerability primarily affects instances with Splunk Web enabled. For those unable to patch immediately, “turning Splunk Web off is a possible workaround” to mitigate the RCE risk.

The second advisory focuses on a sensitive information disclosure bug in the Splunk MCP Server app (versions below 1.0.3). Tracked as CVE-2026-20205, the flaw exposes authentication secrets within the platform’s internal logging systems.

In affected versions, “a user who holds a role with access to the Splunk_internal index or possesses the high-privilege capability mcp_tool_admin could view users session and authorization tokens in clear text”. While accessing these logs typically requires administrative rights, the vulnerability effectively elevates the risk of an internal breach or a compromised admin account being used to hijack other active sessions.

Splunk administrators are urged to audit their deployments and apply the following updates:

• Splunk Enterprise: Upgrade to versions 10.2.1, 10.0.5, 9.4.10, or 9.3.11 or higher.
• Splunk Cloud Platform: Ensure your instance is running 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, or other specified patched versions.
• Splunk MCP Server app: Upgrade to version 1.0.3 or higher.

Beyond patching, Splunk recommends that organizations “review roles and capabilities on your instance and restrict internal index access to administrator-level roles” to prevent unauthorized exposure of system logs.