A critical security advisory has been released, warning users of a high-severity vulnerability affecting both Enterprise and Cloud platforms.
Tracked as CVE-2026-20163, this flaw carries a CVSS score of 8.0. It enables attackers to perform Remote Command Execution (RCE) on targeted systems.
The vulnerability stems from improper handling of user inputs when the system previews uploaded files before indexing them.
While the flaw requires the attacker to have high-level privileges, a successful exploit could allow a malicious user to take control of the underlying host server.
Splunk RCE Vulnerability
The core issue is classified as CWE-77, which involves the improper neutralization of special elements used in a command.
The vulnerability exists within the REST API component of Splunk, specifically targeting the /splunkd/__upload/indexing/preview endpoint.
For an attacker to exploit this flaw, they must already hold a user role that includes the high-privilege edit_cmd capability.
If this condition is met, the attacker can manipulate the unarchive_cmd parameter during the file upload preview process.
Because the system fails to sanitize this input properly, the attacker can easily inject and execute arbitrary shell commands directly on the server.
This security flaw was responsibly disclosed and credited to security researcher Danylo Dmytriiev (DDV_UA), alongside Splunk internal team members Gabriel Nitu and James Ervin.
The vulnerability impacts several recent versions of Splunk’s software. Administrators should check their deployments against the following affected releases.
Affected versions include Enterprise 10.0.0–10.0.3, 9.4.0–9.4.8, 9.3.0–9.3.9, and Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.12, and 9.3.2411.124.
The base Splunk Enterprise 10.2 release is not affected by this vulnerability. Additionally, Splunk is actively monitoring and deploying patches directly to affected Cloud Platform instances.
To protect your infrastructure from potential exploitation, Splunk strongly recommends addressing this vulnerability immediately through updates or temporary mitigations.
- Upgrade Splunk Enterprise: Administrators should update their installations to fixed versions 10.2.0, 10.0.4, 9.4.9, 9.3.10, or higher.
- Implement Workarounds: If an immediate upgrade is not possible, you can mitigate the risk by completely removing the high-privilege edit_cmd capability from all user roles. This breaks the exploit chain by denying the permissions required to execute the malicious command.
Currently, no specific threat detection signatures are available for this vulnerability, making proactive patching and strict privilege management critical.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
