Remote Code Execution Vulnerability in Splunk Enterprise and Cloud Platform
CVE-2026-20251
Key Information:
- Vendor
Splunk
- Vendor
- CVE Published:
- 10 June 2026
Badges
What is CVE-2026-20251?
CVE-2026-20251 is a notable vulnerability affecting multiple versions of Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway. Specifically, it targets versions of Splunk Enterprise below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, as well as Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132. The vulnerability arises from unsafe deserialization of App Key Value Store (KV Store) data via the ‘jsonpickle’ Python library, which does not adequately validate inputs. This flaw allows low-privileged users, without the 'admin' or 'power' roles, to execute arbitrary code remotely through the Splunk Secure Gateway app. Such access can lead to severe security breaches, enabling attackers to compromise systems, manipulate data, or launch further attacks within an organization’s IT infrastructure.
Potential impact of CVE-2026-20251
-
Remote Code Execution Risks: The primary consequence of this vulnerability is the potential for remote code execution, which allows unauthorized users to run malicious code on affected systems. This could lead to data breaches, the installation of malware, or other malicious actions.
-
Escalation of Privileges: While the immediate threat pertains to low-privileged users, successful exploitation can facilitate privilege escalation, granting attackers higher-level access within the Splunk environment. This can significantly compromise the security of sensitive data and administrative controls.
-
Data Integrity and Confidentiality Threats: The ability to execute arbitrary code can undermine the integrity and confidentiality of data stored and processed by Splunk. Attackers could manipulate data outputs, potentially impacting decision-making based on inaccurate information and exposing sensitive information to unauthorized parties.
Affected Version(s)
Splunk Cloud Platform 10.3.2512 < 10.3.2512.12
Splunk Cloud Platform 10.2.2510 < 10.2.2510.14
Splunk Cloud Platform 10.1.2507 < 10.1.2507.22
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved