CVE-2026-20163
Received Received - Intake
Arbitrary Command Execution in Splunk via unarchive_cmd Parameter

Publication date: 2026-03-11

Last updated on: 2026-03-24

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-20163
EUVD
EUVD-2026-11229
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.16 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.5 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.12 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.124 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-20163 is a high-severity remote command execution vulnerability in Splunk Enterprise and Splunk Cloud Platform. It affects certain versions of these products where a user with a high-privilege role containing the capability `edit_cmd` can exploit insufficient input sanitization of the `unarchive_cmd` parameter in the `/splunkd/__upload/indexing/preview` REST endpoint.

This flaw allows such a user to execute arbitrary shell commands on the affected system, which is linked to improper neutralization of special elements used in commands (CWE-77).

Impact Analysis

If exploited, this vulnerability allows an attacker with the `edit_cmd` capability to execute arbitrary shell commands remotely on the affected Splunk system.

This can lead to full compromise of the system, including unauthorized access, data manipulation, or disruption of services.

Compliance Impact

I don't know

Detection Guidance

No specific detection methods or commands for identifying this vulnerability on a network or system are provided in the available information.

Mitigation Strategies

To mitigate this vulnerability, upgrade Splunk Enterprise to versions 10.2.0, 10.0.4, 9.4.9, or 9.3.10, or upgrade Splunk Cloud Platform to the corresponding fixed versions.

If upgrading immediately is not possible, remove the high-privilege capability `edit_cmd` from user roles to prevent exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart