Skip to main content

Splunk Enterprise CVE-2026-20251

| EUVD-2026-36082 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-10 cisco GHSA-3crw-7xg9-fpxg
Python Deserialization Splunk RCE
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 10, 2026 - 20:01 EUVD
Analysis Generated
Jun 10, 2026 - 18:33 vuln.today

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.

AnalysisAI

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privileged authenticated user (without 'admin' or 'power' roles) to execute arbitrary Python on the server by abusing unsafe jsonpickle deserialization of App Key Value Store (KV Store) data. CVSS is 8.8 (network, low complexity, low privileges) and the issue is currently rated as no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged Splunk credentials
Delivery
Authenticate to Splunkweb
Exploit
Write crafted jsonpickle payload to KV Store
Install
Trigger Secure Gateway read of malicious record
C2
Deserialization instantiates gadget chain
Execute
Execute arbitrary Python as Splunk process
Impact
Pivot across SIEM data and host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated Splunk session for a user that does NOT need to hold the 'admin' or 'power' roles (per CVSS PR:L and the description), no user interaction, and network reachability to a Splunk instance with the Splunk Secure Gateway app installed and enabled - Secure Gateway is shipped by default with recent Splunk Enterprise/Cloud builds, so this is the common case. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates network-reachable, low-complexity exploitation by an authenticated low-privileged user with full CIA impact, which aligns with the description of a non-admin/non-power Splunk user achieving RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privileged Splunk account - for example via phishing a routine analyst, reused credentials, or a compromised SSO session - authenticates to Splunkweb and submits a crafted JSON document to a Secure Gateway KV Store endpoint. When the Secure Gateway app reads that document back through jsonpickle, the embedded gadget chain instantiates arbitrary Python objects and executes attacker-controlled code in the Splunk process, giving full read/write access to indexed data, saved searches, and the underlying host.
Remediation Vendor-released patch: upgrade Splunk Enterprise to 10.2.4, 10.0.7, 9.4.12, or 9.3.13 (or later in each branch); Splunk Cloud Platform is being updated by Splunk to 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, or 9.3.2411.132; and update the Splunk Secure Gateway app to 3.10.6, 3.9.20, or 3.8.67 per https://advisory.splunk.com/advisories/SVD-2026-0601. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway deployments; immediately restrict KV Store access permissions to administrative accounts only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-43986 CRITICAL
9.9 Jun 04

Unauthenticated server-side request forgery in Tautulli versions prior to 2.17.1 allows remote attackers to coerce the T
CVE-2026-47731 CRITICAL
9.1 Jun 05

Path traversal in NASA AMMOS AIT-Core's Binary Stream Capture (BSC) component allows unauthenticated remote attackers to
CVE-2026-48031 CRITICAL
9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a
CVE-2026-41065 HIGH
8.9 Jun 04

Remote code execution in Tautulli versions prior to 2.17.1 allows attackers to achieve unauthenticated RCE on fresh inst
CVE-2026-43984 HIGH
8.9 Jun 04

Stored cross-site scripting in Tautulli before 2.17.1 allows low-privilege authenticated users (including guests when gu

Share

CVE-2026-20251 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy