Skip to main content

Splunk CVE-2026-20163

HIGH
Command Injection (CWE-77)
2026-03-11 psirt@cisco.com
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 11, 2026 - 17:16 nvd
HIGH 7.2

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability edit_cmd could execute arbitrary shell commands using the unarchive_cmd parameter for the /splunkd/__upload/indexing/preview REST endpoint.

AnalysisAI

Arbitrary shell command execution in Splunk Enterprise and Cloud Platform allows authenticated users with the edit_cmd capability to inject commands through the unarchive_cmd parameter in the preview upload endpoint. Affected versions include Splunk Enterprise below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, as well as corresponding Cloud Platform versions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as user with edit_cmd capability
Exploit
Access /splunkd/__upload/indexing/preview endpoint
Execution
Inject malicious command in unarchive_cmd parameter
Impact
Execute arbitrary shell commands on server

Vulnerability AssessmentAI

Exploitation User account with high-privilege 'edit_cmd' capability role assigned in Splunk Enterprise (versions <10.2.0, <10.0.4, <9.4.9, <9.3.10) or Splunk Cloud Platform (versions <10.2.2510.5, <10.0.2503.12, <10.1.2507.16, <9.3.2411.124). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.2 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker could exploit this vulnerability to compromise the affected system.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all users with the edit_cmd capability and restrict assignments to only essential personnel; document current role assignments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Splunk

View all
CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil

CVE-2026-7589 MEDIUM POC
5.5 May 01

Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attacker

CVE-2026-20266 CRITICAL
9.1 Jun 17

Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to ex

CVE-2025-20229 HIGH
8.0 Mar 26

In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.

CVE-2025-20298 HIGH
8.0 Jun 02

Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are

CVE-2025-20387 HIGH
8.0 Dec 03

In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an u

CVE-2025-20386 HIGH
8.0 Dec 03

In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to

CVE-2026-20252 HIGH
7.6 Jun 10

Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a

CVE-2025-20371 HIGH
7.5 Oct 01

In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.10

CVE-2026-20239 HIGH
7.5 May 20

Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple bran

CVE-2025-20231 HIGH
7.1 Mar 26

In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk S

Share

CVE-2026-20163 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy