Skip to main content

Splunk Enterprise CVE-2026-20297

HIGH
Path Traversal (CWE-22)
2026-07-15 cisco
7.2
CVSS 3.1 · Vendor: cisco
Share

Severity by source

Vendor (cisco) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
6.7 MEDIUM

Network-reachable install workflow (AV:N/AC:L) but requires admin-level edit_local_apps+install_apps capabilities (PR:H); primary impact is integrity/availability via config overwrite, with confidentiality only indirect (C:L).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (cisco).

CVSS VectorVendor: cisco

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 15, 2026 - 17:49 vuln.today
CVE Published
Jul 15, 2026 - 17:18 cve.org
HIGH 7.2

DescriptionCVE.org

In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, and 10.1.2507.24, a user who holds a role that contains the edit_local_apps and install_apps capabilities could cause a legitimate app installation to write files outside the intended app directory, into $SPLUNK_HOME/etc/ and its subdirectories.<br><br>The vulnerability is caused by a path traversal in the app installation workflow, which does not restrict the installation path to the intended app directory.

AnalysisAI

Arbitrary file write in Splunk Enterprise (versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, 9.3.14) and Splunk Cloud Platform lets a privileged user with the edit_local_apps and install_apps capabilities abuse the app-installation workflow to write files outside the target app directory into $SPLUNK_HOME/etc/ and its subdirectories. The flaw is a path traversal (CWE-22) that can be leveraged to overwrite Splunk configuration and system files, yielding high confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with role holding edit_local_apps + install_apps
Delivery
Craft app package with traversal paths
Exploit
Install app via app workflow
Execution
Files written outside app dir into $SPLUNK_HOME/etc/
Impact
Overwrite Splunk config for tamper/foothold

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Splunk user whose assigned role grants BOTH the edit_local_apps AND install_apps capabilities, and the attacker must go through the app installation workflow supplying a crafted app whose paths traverse out of the intended app directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, base 7.2 High) frames this as a network-reachable, low-complexity attack with full triple impact but requiring high privileges - the attacker must already hold a role granting edit_local_apps and install_apps, capabilities normally reserved for administrators or trusted app managers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A user assigned a role that includes edit_local_apps and install_apps crafts a malicious Splunk app package containing traversal path components, then uploads and installs it through the normal app-installation workflow. During install, files are written outside the app's directory into $SPLUNK_HOME/etc/, overwriting server-wide configuration to tamper with Splunk's behavior or plant a foothold. …
Remediation Vendor-released patch: upgrade Splunk Enterprise to 10.4.1, 10.2.5, 10.0.8, 9.4.13, or 9.3.14 (or later) per the fixed branch you run; Splunk Cloud Platform is remediated by Splunk to 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, or 10.1.2507.24 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Splunk Enterprise and Splunk Cloud Platform instances and identify versions vulnerable to CVE-2026-20297 (versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14 on their respective branches). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Splunk

View all
CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2024-36985 HIGH POC
8.8 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10, a low-privileged user that does not hold the admin or powe

CVE-2023-46214 HIGH POC
8.8 Nov 16

In Splunk Enterprise versions below 9.0.7 and 9.1.2, Splunk Enterprise does not safely sanitize extensible stylesheet la

CVE-2023-32707 HIGH POC
8.8 Jun 01

In versions of Splunk Enterprise below 9.0.5, 8.2.11, and 8.1.14, and Splunk Cloud Platform below version 9.0.2303.100,

CVE-2022-43571 HIGH POC
8.8 Nov 03

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can execute arbitrary code through t

CVE-2022-43567 HIGH POC
8.8 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run arbitrary operating system c

CVE-2023-22934 HIGH POC
8.0 Feb 14

In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, the ‘pivot’ search processing language (SPL) command lets

CVE-2022-43566 HIGH POC
8.0 Nov 04

In Splunk Enterprise versions below 8.2.9, 8.1.12, and 9.0.2, an authenticated user can run risky commands using a more

CVE-2024-36991 HIGH POC
7.5 Jul 01

In Splunk Enterprise on Windows versions below 9.2.2, 9.1.5, and 9.0.10, an attacker could perform a path traversal on t

CVE-2024-36990 MEDIUM POC
6.5 Jul 01

In Splunk Enterprise versions below 9.2.2, 9.1.5, and 9.0.10 and Splunk Cloud Platform versions below 9.2.2403.100, an a

CVE-2017-17067 CRITICAL
9.8 Nov 30

Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6.4.9, and

CVE-2013-6771 CRITICAL
9.3 Aug 07

Directory traversal vulnerability in the collect script in Splunk before 5.0.5 allows remote attackers to execute arbitr

Share

CVE-2026-20297 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy