Path Traversal through 'explicit_appname' in the App Install REST Endpoint in Splunk Enterprise
Advisory ID: SVD-2026-0703
CVE ID: CVE-2026-20297
Published: 2026-07-15
Last Update: 2026-07-15
CVSSv3.1 Score: 7.2, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Bug ID: VULN-71088
Description
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, and 10.1.2507.24, a user who holds a role that contains the edit_local_apps and install_apps capabilities could cause a legitimate app installation to write files outside the intended app directory, into $SPLUNK_HOME/etc/ and its subdirectories.
The vulnerability is caused by a path traversal in the app installation workflow, which does not restrict the installation path to the intended app directory.
For more information about Splunk platform roles and capabilities, see Define roles on the Splunk platform with capabilities.
Solution
Upgrade Splunk Enterprise to versions 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | REST API | 10.4.0 to 10.4.0 | 10.4.1 |
| Splunk Enterprise | 10.2 | REST API | 10.2.0 to 10.2.4 | 10.2.5 |
| Splunk Enterprise | 10.0 | REST API | 10.0.0 to 10.0.7 | 10.0.8 |
| Splunk Enterprise | 9.4 | REST API | 9.4.0 to 9.4.12 | 9.4.13 |
| Splunk Enterprise | 9.3 | REST API | 9.3.0 to 9.3.13 | 9.3.14 |
| Splunk Cloud Platform | 10.5.2605 | REST API | Below 10.5.2605.0 | 10.5.2605.0 |
| Splunk Cloud Platform | 10.4.2604 | REST API | Below 10.4.2604.6 | 10.4.2604.6 |
| Splunk Cloud Platform | 10.2.2510 | REST API | Below 10.2.2510.18 | 10.2.2510.18 |
| Splunk Cloud Platform | 10.1.2507 | REST API | Below 10.1.2507.24 | 10.1.2507.24 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rates this vulnerability a 7.2, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Vinay Manivel, Splunk