CVE-2026-20163
Received Received - Intake
Arbitrary Command Execution in Splunk via unarchive_cmd Parameter

Publication date: 2026-03-11

Last updated on: 2026-03-24

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-24
Generated
2026-05-27
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-25
NVD
CVE-2026-20163
EUVD
EUVD-2026-11229
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.16 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.5 (exc)
splunk splunk_cloud_platform From 10.0.2503 (inc) to 10.0.2503.12 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.124 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-20163 is a high-severity remote command execution vulnerability in Splunk Enterprise and Splunk Cloud Platform. It affects certain versions of these products where a user with a high-privilege role containing the capability `edit_cmd` can exploit insufficient input sanitization of the `unarchive_cmd` parameter in the `/splunkd/__upload/indexing/preview` REST endpoint.

This flaw allows such a user to execute arbitrary shell commands on the affected system, which is linked to improper neutralization of special elements used in commands (CWE-77).


How can this vulnerability impact me? :

If exploited, this vulnerability allows an attacker with the `edit_cmd` capability to execute arbitrary shell commands remotely on the affected Splunk system.

This can lead to full compromise of the system, including unauthorized access, data manipulation, or disruption of services.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

No specific detection methods or commands for identifying this vulnerability on a network or system are provided in the available information.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade Splunk Enterprise to versions 10.2.0, 10.0.4, 9.4.9, or 9.3.10, or upgrade Splunk Cloud Platform to the corresponding fixed versions.

If upgrading immediately is not possible, remove the high-privilege capability `edit_cmd` from user roles to prevent exploitation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart