Splunk
CVE-2026-20163
HIGH
Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability edit_cmd could execute arbitrary shell commands using the unarchive_cmd parameter for the /splunkd/__upload/indexing/preview REST endpoint.
AnalysisAI
Arbitrary shell command execution in Splunk Enterprise and Cloud Platform allows authenticated users with the edit_cmd capability to inject commands through the unarchive_cmd parameter in the preview upload endpoint. Affected versions include Splunk Enterprise below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, as well as corresponding Cloud Platform versions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | User account with high-privilege 'edit_cmd' capability role assigned in Splunk Enterprise (versions <10.2.0, <10.0.4, <9.4.9, <9.3.10) or Splunk Cloud Platform (versions <10.2.2510.5, <10.0.2503.12, <10.1.2507.16, <9.3.2411.124). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 7.2 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker could exploit this vulnerability to compromise the affected system. |
| Remediation | Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all users with the edit_cmd capability and restrict assignments to only essential personnel; document current role assignments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attacker
Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to ex
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.
Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are
In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an u
In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to
Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.10
Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple bran
In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk S
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today