Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway
CVE-2026-20251

8.8HIGH

Key Information:

Vendor: Splunk
Status: Splunk Enterprise; Splunk Cloud Platform; Splunk Secure Gateway
Vendor: CVE Published:; 10 June 2026

What is CVE-2026-20251?

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.

Affected Version(s)

Splunk Cloud Platform 10.3.2512 < 10.3.2512.12

Splunk Cloud Platform 10.2.2510 < 10.2.2510.14

Splunk Cloud Platform 10.1.2507 < 10.1.2507.22

References

https://advisory.splunk.com/advisories/SVD-2026-0601

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
Oct 8, 2025

Credit

M Mahdan Argya Syarif (0xbeludan)

CVE-2026-20251 Data

JSON