A high-severity Remote Command Execution (RCE) vulnerability has been discovered in Splunk Enterprise and Splunk Cloud Platform, exposing systems to severe security risks.
Tracked officially as CVE-2026-20163 with a CVSS score of 8.0, this critical flaw allows malicious actors to execute arbitrary shell commands directly on the host operating system.
Classified under CWE-77, this bug highlights the dangers of improper input neutralization in enterprise software.
Technical Exploitation Details
The core of this vulnerability lies within the platform’s REST API, specifically at the /splunkd/__upload/indexing/preview endpoint.
When users upload files to Splunk, the system previews these files before indexing them into the database. During this preview phase, the software uses a parameter known as unarchive_cmd.
Because Splunk fails to properly sanitize the input fed into this parameter, attackers can inject hidden shell commands.
When the system processes the file preview, it unknowingly executes the attacker’s malicious instructions.
However, there is an important restricting factor that lowers the immediate threat level. To successfully exploit this flaw, an attacker must already have access to a user account with the high-privilege edit_cmd capability.
While this means standard users cannot trigger the exploit, it presents a massive risk if an administrator’s account is compromised, allowing a threat actor to pivot from application access to full server takeover.
This vulnerability spans multiple versions of both the on-premises and cloud deployments. System administrators must check their current builds against the following impacted versions:
- Splunk Enterprise 10.0: Versions 10.0.0 through 10.0.3
- Splunk Enterprise 9.4: Versions 9.4.0 through 9.4.8
- Splunk Enterprise 9.3: Versions 9.3.0 through 9.3.9
- Splunk Cloud Platform: Versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.24
Fortunately, the base Splunk Enterprise 10.2 component remains unaffected by this specific REST API flaw.
Essential Mitigations and Fixes
To protect enterprise networks from potential arbitrary command execution, administrators must prioritize patching.
Splunk has released official security updates that correct the input sanitization failures across all affected branches.
- Upgrade Splunk Enterprise 10.0 environments to version 10.0.4.
- Upgrade Splunk Enterprise 9.4 environments to version 9.4.9.
- Upgrade Splunk Enterprise 9.3 environments to version 9.3.10.
- For Splunk Cloud Platform customers, Splunk is actively monitoring the situation and applying patches directly to hosted instances.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
