Splunk has issued crucial updates to address several vulnerabilities found within its Enterprise, Cloud Platform, and MCP Server. The company also tackled flaws present in third-party packages utilized across its product range.
Remote Code Execution Vulnerability
A significant issue, identified as CVE-2026-20204, has been discovered in both the Splunk Enterprise and Cloud Platform. This vulnerability enables users with low privileges to upload harmful files into a temporary directory, potentially leading to remote code execution (RCE). Splunk noted that the problem arises from improper handling and insufficient isolation of temporary files.
Besides the high-severity bug, two medium-severity vulnerabilities were addressed. The first involves username creation using a null byte or a non-UTF-8 percent-encoded byte, while the second allows unauthorized toggling of Data Model Acceleration settings.
Necessary Software Updates
To mitigate these risks, users are encouraged to update to the latest versions of Splunk Enterprise: 10.2.2, 10.0.5, 9.4.10, or 9.3.11. These versions contain the necessary patches to rectify all known security issues. Additionally, Splunk is actively updating its Cloud Platform instances to ensure enhanced security.
Addressing MCP Server Vulnerability
Furthermore, Splunk has resolved the high-severity vulnerability CVE-2026-20205 in the MCP Server application. This flaw could have allowed authenticated users to access user sessions and authorization tokens in plain text. The vulnerability required either local log file access or administrative access to internal indexes, typically restricted to admin roles. The fix is included in MCP Server version 1.0.3.
In conjunction with these updates, Splunk has released patches for third-party package vulnerabilities impacting Splunk Enterprise, the Operator for Kubernetes Add-on, the IT Service Intelligence (ITSI) app, and the Universal Forwarder.
While there are no reports of these vulnerabilities being exploited in the wild, Splunk advises users to remain vigilant and keep systems updated. Further details can be found on Splunk’s official security advisories page.
