Back to overview

CVE-2026-20297

HIGH
7.2
CVSS 3.1
Description
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, and 10.1.2507.24, a user who holds a role that contains the `edit_local_apps` and `install_apps` capabilities could cause a legitimate app installation to write files outside the intended app directory, into `$SPLUNK_HOME/etc/` and its subdirectories.<br><br>The vulnerability is caused by a path traversal in the app installation workflow, which does not restrict the installation path to the intended app directory.

Metadata

CVE ID
CVE-2026-20297
State
PUBLISHED
Assigner
cisco
Reserved
2025-10-08 11:59 UTC
Published
2026-07-15 17:18 UTC
Last updated
2026-07-15 18:10 UTC
Primary CWE
CWE-22
The software uses external input to construct a pathname tha…
Vendor / Product
Splunk / Splunk Enterprise
Sources
cve.org  ·  NVD

Severity & Metrics

7.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (2)
VendorProductPlatformVersions
Splunk Splunk Cloud Platform 10.5.2605 < 10.5.2605.0, 10.4.2604 < 10.4.2604.6, 10.2.2510 < 10.2.2510.18, 10.1.2507 < 10.1.2507.24
Splunk Splunk Enterprise 10.4 < 10.4.1, 10.2 < 10.2.5, 10.0 < 10.0.8, 9.4 < 9.4.13 …
Weakness (CWE)
CWESourceDescription
CWE-22 cna The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Back to overview