CVE-2026-20251

Summary

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.

Affected Software

VendorProductVersion RangeStatus
SplunkSplunk Enterprise10.2 < 10.2.4affected
SplunkSplunk Enterprise10.0 < 10.0.7affected
SplunkSplunk Enterprise9.4 < 9.4.12affected
SplunkSplunk Enterprise9.3 < 9.3.13affected
SplunkSplunk Cloud Platform10.3.2512 < 10.3.2512.12affected
SplunkSplunk Cloud Platform10.2.2510 < 10.2.2510.14affected
SplunkSplunk Cloud Platform10.1.2507 < 10.1.2507.22affected
SplunkSplunk Cloud Platform9.3.2411 < 9.3.2411.132affected
SplunkSplunk Secure Gateway3.10 < 3.10.6affected
SplunkSplunk Secure Gateway3.9 < 3.9.20affected
SplunkSplunk Secure Gateway3.8 < 3.8.67affected

Weaknesses

  • CWE-502: The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References