Local Privilege Escalation in Splunk Enterprise for Windows through Python Module Search Path
Advisory ID: SVD-2026-0208
CVE ID: CVE-2026-20143
Published: 2026-02-18
Last Update: 2026-02-18
CVSSv3.1 Score: 7.7, High
CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE‑427
Bug ID: VULN-47247
Description
In Splunk Enterprise for Windows versions below 10.2.0, 10.0.3, 9.4.8, and 9.3.9, a low‑privileged Windows user that can create a directory on the system drive where Splunk Enterprise is installed can write a malicious Python script into that directory. This could result in a Local Privilege Escalation (LPE) and a Denial of Service (DoS), as the malicious Python script might run with system level privileges when the Splunk Enterprise instance restarts.
Solution
Upgrade Splunk Enterprise to versions 10.2.0, 10.0.3, 9.4.8, 9.3.9 or higher.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Enterprise | 10.2 | Not affected | 10.2.0 |
| Splunk Enterprise | 10.0 | 10.0.0 to 10.0.2 | 10.0.3 |
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.7 | 9.4.8 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.8 | 9.3.9 |
Mitigations and Workarounds
See Install on Windows for more information on how to install Splunk Enterprise.
Detections
None
Severity
Splunk rates this vulnerability a 7.7, High, with a CVSSv3.1 vector of CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H.
If the Splunk Enterprise instance does not run on Windows, there should be no impact and the severity would be Informational.
Acknowledgments
Bocheng Xiang (@Crispr)