Do Son 
Splunk has released a critical security advisory regarding a high-severity Remote Command Execution (RCE) vulnerability, tracked as CVE-2026-20163 with a CVSS score of 8.0. The flaw resides in the Splunk Enterprise and Splunk Cloud Platform REST API, specifically affecting how the system handles file previews.
According to the advisory, the vulnerability allows an attacker to bypass security boundaries if they possess specific administrative rights. The advisory states that “a user who holds a role that contains the high-privilege capability edit_cmd could execute arbitrary shell commands using the unarchive_cmd parameter”.
The technical breakdown reveals that the issue stems from how the platform processes data before it is indexed. The advisory notes that “this occurs because of insufficient input sanitization when previewing uploaded files before indexing them”. By exploiting the /splunkd/_upload/indexing/preview REST endpoint, an authorized but potentially malicious user can run commands directly on the underlying server.
The vulnerability impacts several versions of both Splunk Enterprise and Splunk Cloud Platform:
- Splunk Enterprise: Versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10.
- Splunk Cloud Platform: Various versions including those below 10.2.2510.5 and 9.3.2411.124.
To secure environments, Splunk recommends that administrators “upgrade Splunk Enterprise to versions 10.2.0, 10.0.4, 9.4.9, 9.3.10, or higher”
For organizations unable to perform an immediate upgrade, a temporary workaround is available to reduce the attack surface. Administrators should “remove the high-privilege capability edit_cmd from the role to remedy the problem” until the patch can be fully deployed.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
