Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-20251

CVE-2026-20251: Splunk Enterprise RCE Vulnerability

CVE-2026-20251 is a remote code execution vulnerability in Splunk Enterprise that allows low-privileged users to execute arbitrary code through unsafe deserialization. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-20251 Overview

CVE-2026-20251 is a high-severity Remote Code Execution (RCE) vulnerability affecting Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app. The flaw arises from unsafe deserialization [CWE-502] of App Key Value Store (KV Store) data using the jsonpickle Python library. A low-privileged authenticated user without the admin or power Splunk roles can execute arbitrary code on the underlying system. The jsonpickle library reconstructs arbitrary Python objects from attacker-controlled JSON without adequate validation, enabling object injection.

Critical Impact

Authenticated low-privileged users can achieve Remote Code Execution on Splunk instances, leading to full compromise of confidentiality, integrity, and availability.

Affected Products

  • Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13
  • Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132
  • Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67

Discovery Timeline

  • 2026-06-10 - CVE-2026-20251 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-20251

Vulnerability Analysis

The vulnerability resides in the Splunk Secure Gateway app, which processes data stored in the App Key Value Store (KV Store). The application uses the jsonpickle Python library to deserialize JSON payloads back into Python objects. jsonpickle is designed to reconstruct arbitrary Python objects from JSON, including object types, attributes, and references. When the library deserializes attacker-controlled JSON, it can be coerced into instantiating arbitrary classes and invoking methods on them.

An authenticated user without admin or power privileges can write crafted JSON payloads into the KV Store. When the Secure Gateway app subsequently reads and deserializes that data, the jsonpickle library reconstructs the malicious object graph, triggering code execution within the Splunk process context.

Root Cause

The root cause is improper input validation during deserialization. The jsonpickle library treats class names and constructor arguments inside JSON as trusted data. No allowlist of permitted types is enforced, and no integrity validation is applied to KV Store entries before deserialization. This permits object injection by any user with write access to the relevant KV Store collection.

Attack Vector

The attack is performed over the network against an authenticated Splunk session. The attacker requires only a low-privileged account. The attacker stores a crafted JSON payload referencing Python classes whose constructors or __reduce__ methods execute system commands. When the Splunk Secure Gateway app deserializes the entry, the payload executes with the privileges of the Splunk service account. No user interaction is required.

No public proof-of-concept code has been released. Refer to the Splunk Security Advisory SVD-2026-0601 for vendor technical details.

Detection Methods for CVE-2026-20251

Indicators of Compromise

  • Unexpected child processes spawned by Splunk daemons such as splunkd or Python interpreters launched by the Secure Gateway app
  • Anomalous writes to KV Store collections owned by the splunk_secure_gateway app from non-administrative accounts
  • Outbound network connections initiated by the Splunk process to attacker-controlled hosts
  • New files written under Splunk installation directories outside of normal update operations

Detection Strategies

  • Monitor Splunk internal audit logs (index=_audit) for KV Store modifications by low-privileged users targeting Secure Gateway collections
  • Inspect REST API calls to /servicesNS/.../storage/collections/data/ for payloads containing jsonpickle markers such as py/object, py/reduce, or py/newobj
  • Alert on process lineage where splunkd or its Python subprocesses execute shell utilities such as /bin/sh, bash, cmd.exe, or powershell.exe

Monitoring Recommendations

  • Enable verbose REST endpoint logging for the Splunk Secure Gateway app and forward to a centralized analytics platform
  • Establish a baseline of normal KV Store write patterns and alert on deviations
  • Audit Splunk role assignments to identify users with KV Store write capabilities outside of admin and power roles

How to Mitigate CVE-2026-20251

Immediate Actions Required

  • Upgrade Splunk Enterprise to 10.2.4, 10.0.7, 9.4.12, 9.3.13, or later fixed releases
  • Upgrade the Splunk Secure Gateway app to 3.10.6, 3.9.20, or 3.8.67
  • Splunk Cloud Platform customers should confirm the platform has been upgraded to a fixed build by Splunk
  • Review and restrict user role capabilities so only trusted accounts can write to KV Store collections

Patch Information

Splunk has released fixed versions for Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app. See the Splunk Security Advisory SVD-2026-0601 for the complete list of fixed builds and upgrade guidance.

Workarounds

  • Disable or uninstall the Splunk Secure Gateway app if it is not required in the environment
  • Restrict access to KV Store REST endpoints through network segmentation or reverse proxy rules
  • Apply the principle of least privilege to Splunk roles, removing KV Store write permissions from non-essential users
bash
# Disable the Splunk Secure Gateway app as a temporary mitigation
$SPLUNK_HOME/bin/splunk disable app splunk_secure_gateway -auth <admin>:<password>
$SPLUNK_HOME/bin/splunk restart

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.