CVE-2026-20251
Analyzed Analyzed - Analysis Complete
Remote Code Execution in Splunk via KV Store Deserialization

Publication date: 2026-06-10

Last updated on: 2026-06-15

Assigner: Cisco Systems, Inc.

Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the β€˜jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-15
Generated
2026-06-17
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-16
NVD
CVE-2026-20251
EUVD
EUVD-2026-36082
Affected Vendors & Products
Showing 11 associated CPEs
Vendor Product Version / Range
splunk splunk From 10.0.0 (inc) to 10.0.7 (exc)
splunk splunk From 10.2.0 (inc) to 10.2.4 (exc)
splunk splunk From 9.3.0 (inc) to 9.3.13 (exc)
splunk splunk From 9.4.0 (inc) to 9.4.12 (exc)
splunk splunk_cloud_platform From 10.1.2507 (inc) to 10.1.2507.22 (exc)
splunk splunk_cloud_platform From 10.2.2510 (inc) to 10.2.2510.14 (exc)
splunk splunk_cloud_platform From 10.3.2512 (inc) to 10.3.2512.12 (exc)
splunk splunk_cloud_platform From 9.3.2411 (inc) to 9.3.2411.132 (exc)
splunk splunk_secure_gateway From 3.10.0 (inc) to 3.10.6 (exc)
splunk splunk_secure_gateway From 3.8.0 (inc) to 3.8.67 (exc)
splunk splunk_secure_gateway From 3.9.0 (inc) to 3.9.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-20251 is a high severity Remote Code Execution vulnerability that can impact the confidentiality, integrity, and availability of affected Splunk systems. Such impacts can potentially lead to unauthorized access or manipulation of sensitive data.

Because of these risks, organizations using vulnerable versions of Splunk Enterprise, Splunk Cloud Platform, or Splunk Secure Gateway may face challenges in maintaining compliance with data protection regulations and standards such as GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access and ensuring system integrity.

Mitigating this vulnerability by upgrading to patched versions or disabling the vulnerable Splunk Secure Gateway app is critical to reduce the risk of non-compliance due to potential data breaches or system compromises.

Mitigation Strategies

The recommended immediate mitigation is to upgrade Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway to the patched versions that fix this vulnerability.

As a temporary workaround, if the Splunk Secure Gateway app is not in use, it can be disabled or removed. However, this may impact functionality related to Splunk Mobile, Spacebridge, and Mission Control.

Executive Summary

CVE-2026-20251 is a Remote Code Execution (RCE) vulnerability affecting certain versions of Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway.

The vulnerability arises because a low-privileged user, who does not have 'admin' or 'power' roles, can exploit unsafe deserialization of App Key Value Store (KV Store) data.

This unsafe deserialization happens through the 'jsonpickle' Python library, which reconstructs arbitrary Python objects from specially crafted JSON data without proper validation, allowing execution of arbitrary code remotely.

Impact Analysis

This vulnerability can have a significant impact because it allows a low-privileged user to execute arbitrary code remotely on affected systems.

The CVSSv3.1 score of 8.8 (High) reflects the potential for serious consequences including compromise of confidentiality, integrity, and availability of the system.

Exploitation could lead to unauthorized access, data manipulation, service disruption, or full system compromise.

Detection Guidance

There are currently no official detection methods or commands available to identify this vulnerability on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-20251. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart