High-Severity RCE Vulnerability in Splunk Enterprise and Cloud Platform Disclosed
A critical Remote Command Execution (RCE) vulnerability, tracked as CVE-2026-20163 (CVSS 8.0), has been identified in Splunk Enterprise and Splunk Cloud Platform, exposing systems to arbitrary command execution risks. The flaw stems from improper input neutralization (CWE-77) in the platform’s REST API, specifically at the /splunkd/__upload/indexing/preview endpoint.
During file upload previews, Splunk processes the unarchive_cmd parameter without adequate sanitization, allowing attackers to inject malicious shell commands. While exploitation requires a user account with the edit_cmd privilege limiting exposure to high-level administrators a compromised admin account could enable full server takeover.
Affected Versions:
- Splunk Enterprise 10.0: 10.0.0–10.0.3
- Splunk Enterprise 9.4: 9.4.0–9.4.8
- Splunk Enterprise 9.3: 9.3.0–9.3.9
- Splunk Cloud Platform: Versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.24
Mitigation:
Splunk has released patches to address the flaw. Administrators should upgrade to:
- Splunk Enterprise 10.0: 10.0.4
- Splunk Enterprise 9.4: 9.4.9
- Splunk Enterprise 9.3: 9.3.10
Splunk Cloud Platform instances are being patched automatically by the vendor. The Splunk Enterprise 10.2 branch remains unaffected.Source: https://gbhackers.com/splunk-rce-vulnerability-arbitrary-shell-commands/
Splunk cybersecurity rating report: https://www.rankiteo.com/company/splunk
"id": "SPL1773304071",
"linkid": "splunk",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology/Enterprise Software',
'name': 'Splunk Enterprise',
'type': 'Software'},
{'industry': 'Technology/Cloud Services',
'name': 'Splunk Cloud Platform',
'type': 'Cloud Service'}],
'attack_vector': 'REST API endpoint (`/splunkd/__upload/indexing/preview`)',
'description': 'A critical Remote Command Execution (RCE) vulnerability, '
'tracked as CVE-2026-20163 (CVSS 8.0), has been identified in '
'Splunk Enterprise and Splunk Cloud Platform, exposing systems '
'to arbitrary command execution risks. The flaw stems from '
'improper input neutralization (CWE-77) in the platform’s REST '
'API, specifically at the `/splunkd/__upload/indexing/preview` '
'endpoint. During file upload previews, Splunk processes the '
'`unarchive_cmd` parameter without adequate sanitization, '
'allowing attackers to inject malicious shell commands. While '
'exploitation requires a user account with the edit_cmd '
'privilege, a compromised admin account could enable full '
'server takeover.',
'impact': {'systems_affected': 'Full server takeover possible'},
'post_incident_analysis': {'corrective_actions': 'Patch management and input '
'sanitization improvements',
'root_causes': 'Improper input neutralization in '
'the `unarchive_cmd` parameter of '
'the REST API endpoint'},
'recommendations': 'Administrators should upgrade to the latest patched '
'versions of Splunk Enterprise and ensure Splunk Cloud '
'Platform instances are updated.',
'response': {'containment_measures': 'Patches released for affected versions',
'remediation_measures': 'Upgrade to patched versions (Splunk '
'Enterprise 10.0.4, 9.4.9, 9.3.10; '
'Splunk Cloud Platform instances patched '
'automatically)'},
'title': 'High-Severity RCE Vulnerability in Splunk Enterprise and Cloud '
'Platform Disclosed',
'type': 'Remote Command Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-20163 (Improper Neutralization of '
'Special Elements used in a Command - CWE-77)'}