Public PoC for Splunk Secure Gateway RCE Vulnerability Released
A public proof-of-concept exploit is available for CVE-2026-20251, a critical RCE vulnerability in Splunk Secure Gateway, allowing low-privileged users to execute arbitrary code.
A public proof-of-concept (PoC) exploit has been released for CVE-2026-20251, a high-severity remote code execution (RCE) vulnerability affecting Splunk Secure Gateway (SSG). The flaw, carrying a CVSS score of 8.8, allows a low-privileged authenticated attacker to execute arbitrary code on the Splunk host server without requiring admin or power-level roles.
The vulnerability resides within Splunk Secure Gateway's alert processing pipeline. The component reads attacker-controlled documents from Splunk's App Key Value Store (KV Store), specifically the mobile_alerts collection. These documents are then passed directly to jsonpickle.decode(), a Python deserialization library capable of reconstructing arbitrary Python objects from crafted JSON. Although the call includes safe=True, this flag only blocks the legacy py/repr evaluation path, leaving critical gadget tags such as py/reduce, py/object, py/type, py/function, and py/module fully exploitable.
A secondary validator, check_alert_data_valid_json, is intended to block dangerous tags but short-circuits on the first recognized key. If the initial top-level key is a permitted py/object value starting with spacebridgeapp, the function immediately returns True without inspecting subsequent sibling keys, including any embedded py/reduce gadgets. This logic flaw is central to the exploit.
The exploit requires only a valid low-privilege Splunk account. An attacker can write a specially crafted bypass document to the mobile_alerts KV Store collection via the Splunk REST API. When SSG processes an alert fetch request, the alerts_request_processor.py script reads the document. The validator, tricked by the py/object key, incorrectly passes the document, allowing jsonpickle.decode() to reconstruct the malicious object and trigger arbitrary OS command execution.
The bypass document structure exploits this logic flaw. For example, a crafted document like {"py/object": "spacebridgeapp.data.alert_data.Alert","notification": {"py/reduce": [{"py/function": "subprocess.check_output"},{"py/tuple": [["uname", "-a"]]}]}} would cause the validator to approve the document based on the py/object key, never reaching the malicious notification payload.
Researcher Fady Oueslati of ReactiveZero Security Research published the PoC (poc_cve_2026_20251.py) on June 26, 2026. The PoC demonstrates both the validator bypass and the py/reduce execution under safe=True. The payload used in the PoC is benign, executing uname -a to confirm command execution. Testing was conducted on SSG 3.9.19 running on Splunk Enterprise 10.0.6.
Organizations are urged to immediately upgrade Splunk Secure Gateway to versions 3.9.20, 3.10.6, or 3.8.67, and Splunk Enterprise to 10.0.7, 10.2.4, or 10.4.0+. If immediate patching is not feasible, disabling or removing the Splunk Secure Gateway app entirely serves as a short-term mitigation, though this will disable Splunk Mobile, Spacebridge, and Mission Control functionality. Security teams should also enforce least-privilege roles, restrict KV Store write access to the mobile_alerts collection, and consider replacing jsonpickle.decode() on attacker-reachable code paths with strict schema-validated parsers.