Splunk: Splunk Secure Gateway RCE Vulnerability Lets Low-Privileged Attackers Execute Arbitrary Code

Splunk: Splunk Secure Gateway RCE Vulnerability Lets Low-Privileged Attackers Execute Arbitrary Code

Critical RCE Vulnerability in Splunk Secure Gateway Exposes Enterprise Deployments

A newly disclosed high-severity vulnerability in Splunk Secure Gateway (SSG), tracked as CVE-2026-20251 (CVSS 8.8), enables low-privileged authenticated users to execute arbitrary code remotely on affected systems. The flaw stems from unsafe deserialization of user-controlled data via the Python jsonpickle library, creating a significant risk for enterprise Splunk environments.

The vulnerability was uncovered by ReactiveZero Security and exploits weaknesses in how SSG processes alert data stored in the KV Store’s “mobile_alerts” collection. Attackers with low-privilege access can inject a maliciously crafted JSON document through the Splunk REST API, bypassing flawed validation routines. The payload is then deserialized by jsonpickle.decode(), leading to remote code execution (RCE) under the Splunk service account.

Two critical issues enable the exploit:

  1. Validator Bypass: The check_alert_data_valid_json() function incorrectly short-circuits validation when encountering a permitted key (e.g., “py/object”), failing to inspect other fields where malicious payloads (e.g., “notification”) may be embedded.
  2. Unsafe Deserialization: Despite the safe=True flag, jsonpickle remains vulnerable to dangerous paths like “py/reduce”, allowing attackers to invoke arbitrary Python functions including system commands via subprocess.

Exploitation requires only a valid low-privilege Splunk account and no user interaction. A proof-of-concept (PoC) demonstrates how a crafted payload can execute commands (e.g., subprocess.check_output([“uname”, “-a”])) during deserialization, confirming the flaw’s severity.

Affected Versions:

  • Splunk Secure Gateway: 3.8.x, 3.9.x, 3.10.x
  • Splunk Enterprise: Versions prior to 10.0.7, 10.2.4, and 10.4.0+

Splunk has released patches in SSG versions 3.8.67, 3.9.20, and 3.10.6. Organizations are urged to apply updates immediately. Temporary mitigations include disabling the Secure Gateway app (if unused), restricting KV Store write permissions, and enforcing strict access controls.

The incident underscores a persistent security risk in Python applications: unsafe deserialization of untrusted data, where incomplete validation can neutralize protective measures, leading to full system compromise.

Source: https://gbhackers.com/splunk-secure-gateway-rce-vulnerability/

Splunk cybersecurity rating report: https://www.rankiteo.com/company/splunk

"id": "SPL1782735858",
"linkid": "splunk",
"type": "Vulnerability",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Organizations using Splunk '
                                              'Secure Gateway (3.8.x, 3.9.x, '
                                              '3.10.x) and Splunk Enterprise '
                                              '(prior to 10.0.7, 10.2.4, and '
                                              '10.4.0+)',
                        'industry': 'Technology/Cybersecurity',
                        'name': 'Splunk',
                        'type': 'Enterprise Software Provider'}],
 'attack_vector': 'Splunk REST API',
 'description': 'A newly disclosed high-severity vulnerability in Splunk '
                'Secure Gateway (SSG), tracked as CVE-2026-20251 (CVSS 8.8), '
                'enables low-privileged authenticated users to execute '
                'arbitrary code remotely on affected systems. The flaw stems '
                'from unsafe deserialization of user-controlled data via the '
                'Python jsonpickle library, creating a significant risk for '
                'enterprise Splunk environments. The vulnerability was '
                'uncovered by ReactiveZero Security and exploits weaknesses in '
                'how SSG processes alert data stored in the KV Store’s '
                "'mobile_alerts' collection. Attackers with low-privilege "
                'access can inject a maliciously crafted JSON document through '
                'the Splunk REST API, bypassing flawed validation routines. '
                'The payload is then deserialized by jsonpickle.decode(), '
                'leading to remote code execution (RCE) under the Splunk '
                'service account.',
 'impact': {'operational_impact': 'Potential full system compromise under '
                                  'Splunk service account',
            'systems_affected': 'Splunk Secure Gateway and Splunk Enterprise '
                                'deployments'},
 'lessons_learned': 'The incident underscores a persistent security risk in '
                    'Python applications: unsafe deserialization of untrusted '
                    'data, where incomplete validation can neutralize '
                    'protective measures, leading to full system compromise.',
 'post_incident_analysis': {'corrective_actions': 'Patches released, temporary '
                                                  'mitigations include '
                                                  'disabling the Secure '
                                                  'Gateway app, restricting KV '
                                                  'Store write permissions, '
                                                  'and enforcing strict access '
                                                  'controls.',
                            'root_causes': 'Unsafe deserialization of '
                                           'user-controlled data via Python '
                                           'jsonpickle library, flawed '
                                           'validation routines in '
                                           'check_alert_data_valid_json() '
                                           'function, and use of dangerous '
                                           "paths like 'py/reduce' in "
                                           'jsonpickle.'},
 'recommendations': 'Apply patches immediately, disable Secure Gateway app if '
                    'unused, restrict KV Store write permissions, enforce '
                    'strict access controls.',
 'references': [{'source': 'ReactiveZero Security'}],
 'response': {'containment_measures': 'Patches released in SSG versions '
                                      '3.8.67, 3.9.20, and 3.10.6',
              'remediation_measures': 'Apply updates, disable Secure Gateway '
                                      'app if unused, restrict KV Store write '
                                      'permissions, enforce strict access '
                                      'controls',
              'third_party_assistance': 'ReactiveZero Security'},
 'title': 'Critical RCE Vulnerability in Splunk Secure Gateway Exposes '
          'Enterprise Deployments',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-20251 (Unsafe deserialization via '
                            'jsonpickle library)'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.