Third-Party Package Updates in Splunk Enterprise - June 2026

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, 9.3.13, and higher.

₁ Upgraded golang in compsup binary to Go compiler version go1.26.1 to remedy CVE-2025-68121, CVE-2025-61732, CVE-2025-61731, CVE-2025-61726, CVE-2026-25679, CVE-2026-27142 at /opt/splunk/bin/compsupin Splunk Enterprise 10.4.0 and 9.3.13. The fix was already applied in prior Splunk Enterprise versions 10.2.3, 10.0.6, and 9.4.11.

₂ For Splunk Enterprise versions 9.4.12 and 10.0.7 for Linux and Windows, Splunk Enterprise upgraded MongoDB 7.0.30 to version 7.0.31 at $SPLUNK_HOME/bin/mongodto remedy CVE-2026-4147, CVE-2026-4148 and CVE-2026-4358.

For Splunk Enterprise versions 10.2.4 for Linux and Windows, Splunk Enterprise upgraded MongoDB 8.0.19 to version 8.0.20 at $SPLUNK_HOME/bin/mongodto remedy CVE-2026-4147, CVE-2026-4148 and CVE-2026-4358.

For Splunk Enterprise version 10.4.0 for Linux and Windows, Splunk Enterprise upgraded MongoDB 7.0.30 to version 7.0.31 and MongoDB 8.0.19 to version 8.0.20 at $SPLUNK_HOME/bin/mongodto remedy CVE-2026-4147, CVE-2026-4148 and CVE-2026-4358.

₃ Upgraded aiohttp to version 3.13.5 to remedy CVE-2026-34516 and CVE-2026-34520 at $SPLUNK_HOME/etc/apps/splunk_secure_gateway/lib/aiohttp-3.13.3.dist-info/METADATAin Splunk Enterprise versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13. The fix is applied in Splunk Secure Gateway app versions 3.10.6, 3.9.20 and 3.8.67.

₄ Upgraded opentelemetry to version 1.43.0 to remedy CVE-2026-24051 at $SPLUNK_HOME/packages/cmp-orchestrator-1.264.19+126da777-20260319t073336.tar.gz/splunk-cmp-orchestratorin Splunk Enterprise versions 10.4.0, 10.2.4 and 10.0.7. Splunk Enterprise versions 9.4.x and 9.3.x are not affected.

₅ Upgraded postgresql to version 17.8 to remedy CVE-2026-2003, CVE-2026-2004, CVE-2026-2005, and CVE-2026-2006 in Splunk Enterprise versions 10.4.0, 10.2.4 and 10.0.7. The Postgres sidecar is not present in Splunk Enterprise versions 9.4.x and 9.3.x.

₆ Upgraded golang crypto in etcd, etcdctl, and etcdutl binaries to version 0.48.0 to remedy CVE-2025-47913, CVE-2025-58181, and CVE-2025-47914 in Splunk Enterprise versions 10.4.0 and 10.2.4. The etcd, etcdctl, and etcdutl binaries are not present in Splunk Enterprise versions 10.0.x, 9.4.x, 9.3.x.

₇ Upgraded apache-log4j to version 2.25.4 to remedy CVE-2025-68161, CVE-2026-34480, CVE-2026-34477 in Splunk Enterprise versions 10.0.7, 9.4.12 and 9.3.13. Splunk Enterprise versions 10.2.x and 10.4.x does not have apache-log4j.

₈ Upgraded cloudflare/circl in compsupbinary to version 1.6.3 to remedy CVE-2026-1229 at /opt/splunk/bin/compsup in Splunk Enterprise version 9.3.13. The fix was applied in prior Splunk Enterprise versions 10.0.6 and 9.4.11.

₉ Upgraded cloudflare/circl in splunk-supervisorbinary to version 1.6.3 to remedy CVE-2026-1229 at /opt/splunk/bin/splunk-supervisor in Splunk Enterprise versions 10.4.0 and 10.2.4.

Note for items 8 and 9: The affected binary name changed across Splunk Enterprise versions. In earlier Splunk Enterprise versions 10.0.x, 9.4.x and 10.3.x, this component is referenced as compsup  at /opt/splunk/bin/compsup. In later Splunk Enterprise versions 10.2.x and 10.4.0, the same component is referenced as  splunk-supervisor at /opt/splunk/bin/splunk-supervisor.

Solution

Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, 9.3.13, or higher.

Product Status

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.