CVE-2026-20251

Vulnerability

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user lacking 'admin' or 'power' roles can achieve Remote Code Execution (RCE) via the Splunk Secure Gateway app. This is due to unsafe deserialization of App Key Value Store (KV Store) data using the jsonpickle Python library, which reconstructs arbitrary Python objects from crafted JSON without sufficient validation [1].

Exploitation

An attacker with low privileges, who does not possess the 'admin' or 'power' Splunk roles, can exploit this vulnerability. They need to interact with the Splunk Secure Gateway app and provide specially crafted JavaScript Object Notation (JSON) data that is deserialized unsafely by the jsonpickle library, leading to the reconstruction of arbitrary Python objects [1].

Impact

Successful exploitation allows a low-privileged attacker to achieve Remote Code Execution (RCE) within the context of the Splunk Secure Gateway app. This could lead to a compromise of the Splunk instance with elevated privileges, depending on the permissions granted to the app and the user context under which it operates [1].

Mitigation

Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13, or higher. Splunk is actively patching Splunk Cloud Platform instances. Specific affected and fix versions for Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway are detailed in the advisory [1]. A mitigation is to turn off or remove the Splunk Secure Gateway app [1].