Path Traversal through 'explicit_appname' in the App Install REST Endpoint in Splunk Enterprise

Advisory ID: SVD-2026-0703

CVE ID: CVE-2026-20297

Published: 2026-07-15

Last Update: 2026-07-15

CVSSv3.1 Score: 7.2, High

CWE: CWE-22

Bug ID: VULN-71088

Description

In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, and 10.1.2507.24, a user who holds a role that contains the edit_local_apps and install_apps capabilities could cause a legitimate app installation to write files outside the intended app directory, into $SPLUNK_HOME/etc/ and its subdirectories.

The vulnerability is caused by a path traversal in the app installation workflow, which does not restrict the installation path to the intended app directory.

For more information about Splunk platform roles and capabilities, see Define roles on the Splunk platform with capabilities.

Solution

Upgrade Splunk Enterprise to versions 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, or higher.

Splunk is actively monitoring and patching Splunk Cloud Platform instances.

Product Status

ProductBase VersionComponentAffected VersionFix Version
Splunk Enterprise10.4REST API10.4.0 to 10.4.010.4.1
Splunk Enterprise10.2REST API10.2.0 to 10.2.410.2.5
Splunk Enterprise10.0REST API10.0.0 to 10.0.710.0.8
Splunk Enterprise9.4REST API9.4.0 to 9.4.129.4.13
Splunk Enterprise9.3REST API9.3.0 to 9.3.139.3.14
Splunk Cloud Platform10.5.2605REST APIBelow 10.5.2605.010.5.2605.0
Splunk Cloud Platform10.4.2604REST APIBelow 10.4.2604.610.4.2604.6
Splunk Cloud Platform10.2.2510REST APIBelow 10.2.2510.1810.2.2510.18
Splunk Cloud Platform10.1.2507REST APIBelow 10.1.2507.2410.1.2507.24

Mitigations and Workarounds

None

Detections

None

Severity

Splunk rates this vulnerability a 7.2, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.

Acknowledgments

Vinay Manivel, Splunk