Splunk RCE via `/splunkd/__upload/indexing/preview` and `unarchive_cmd` (CVE-2026-20163)
Splunk disclosed a high-severity remote command execution (RCE) vulnerability, CVE-2026-20163 (CVSS 8.0), affecting Splunk Enterprise and Splunk Cloud Platform. The issue is a command injection weakness (CWE-77) in the REST endpoint /splunkd/__upload/indexing/preview, where user-controlled input is insufficiently sanitized during the “uploaded file preview before indexing” workflow.
Exploitation requires an authenticated user whose role includes the high-privilege capability edit_cmd; under that condition, an attacker can abuse the unarchive_cmd parameter to execute arbitrary shell commands on the underlying host. Reported affected versions include Splunk Enterprise 10.0.0–10.0.3, 9.4.0–9.4.8, and 9.3.0–9.3.9, plus Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.12, and 9.3.2411.124; fixed thresholds are Enterprise 10.0.4, 9.4.9, 9.3.10, and 10.2.0 (with the base Enterprise 10.2 release noted as not affected). The disclosure credits researcher Danylo Dmytriiev (DDV_UA) along with Splunk personnel Gabriel Nitu and James Ervin.
Timeline
Mar 12, 2026
Splunk releases fixes and begins cloud patch deployment
Splunk made fixed versions available for affected Splunk Enterprise and Splunk Cloud Platform releases and stated it was deploying patches to impacted cloud instances. The company also recommended upgrading immediately or removing the edit_cmd capability from roles as a workaround.
Mar 11, 2026
Splunk discloses CVE-2026-20163 command injection vulnerability
Splunk disclosed a high-severity vulnerability, CVE-2026-20163, affecting Splunk Enterprise and Splunk Cloud Platform. The flaw allows authenticated users with the edit_cmd capability to execute arbitrary shell commands via the /splunkd/__upload/indexing/preview REST endpoint using the unarchive_cmd parameter.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Splunk Enterprise and Cloud Platform Vulnerabilities Allow Remote Code Execution and SSRF
Splunk has disclosed six critical security vulnerabilities affecting both Splunk Enterprise and Splunk Cloud Platform, exposing organizations to significant risks. The vulnerabilities include multiple cross-site scripting (XSS) flaws, an unauthenticated server-side request forgery (SSRF) vulnerability, and other weaknesses in Splunk’s web components. Two of the most notable XSS vulnerabilities are CVE-2025-20367, a reflected XSS in the /app/search/table endpoint, and CVE-2025-20368, a stored XSS in the Saved Search and Job Inspector features. Both XSS flaws can be exploited by low-privileged users to execute malicious JavaScript in the browsers of other users, potentially compromising user sessions and exposing sensitive data. The SSRF vulnerability, CVE-2025-20371, is particularly severe as it allows unauthenticated attackers to coerce Splunk into making REST API calls on behalf of authenticated high-privilege users, which could lead to further compromise of internal systems. These vulnerabilities affect multiple versions of Splunk Enterprise, specifically those below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as various versions of Splunk Cloud Platform. Successful exploitation of these flaws could allow attackers to gain unauthorized access, escalate privileges, and perform actions on behalf of legitimate users. Splunk has released patches addressing all six vulnerabilities and urges administrators to update their deployments immediately to mitigate the risks. The vulnerabilities highlight the importance of regular security assessments and prompt patch management in enterprise environments. Organizations using affected Splunk versions are advised to review their access logs for signs of exploitation and to apply the security updates without delay. The disclosure underscores the potential impact of web-based vulnerabilities in widely used security and analytics platforms. Security teams should also consider reviewing user permissions and monitoring for unusual activity in Splunk environments. The coordinated disclosure and rapid patching demonstrate the ongoing efforts by vendors and the security community to address critical flaws. These vulnerabilities, if left unpatched, could be leveraged in targeted attacks against organizations relying on Splunk for security monitoring and data analytics. The incident serves as a reminder of the evolving threat landscape and the need for vigilance in securing enterprise software. Splunk’s response includes detailed advisories and guidance for affected customers. The company has not reported any active exploitation in the wild at the time of disclosure, but the technical details provided could accelerate attempts by threat actors to develop exploits. Organizations are encouraged to stay informed about security advisories and to implement layered defenses to reduce the risk of compromise.
1 months ago
Privilege Escalation Vulnerabilities in Splunk Enterprise and Universal Forwarder for Windows
Splunk has disclosed two high-severity vulnerabilities, CVE-2025-20386 and CVE-2025-20387, affecting its Enterprise and Universal Forwarder products on Windows platforms. These flaws arise from incorrect NTFS file permissions set during installation and upgrades, allowing non-administrator users to access, modify, or overwrite sensitive files within the Splunk installation directories. The vulnerabilities enable local privilege escalation, potentially allowing attackers or compromised users to gain administrative access, alter configurations, or execute malicious code under elevated privileges. No active exploitation has been reported, but the risk remains significant for unpatched systems. The vulnerabilities impact both new installations and upgrades, with affected directories containing executable binaries, configuration files, and scripts critical to Splunk's operation. Attackers with local access could replace binaries, modify configuration files, inject malicious startup scripts, or hijack supporting executables, leading to full system compromise. Splunk has released patched versions (10.0.2, 9.4.6, 9.3.8, and 9.2.10) and strongly advises customers to upgrade immediately to mitigate these risks and prevent potential privilege escalation attacks.
1 months ago
Elastic Stack Patches High-Severity Kibana SSRF/File Disclosure and Elasticsearch LZ4 Information Disclosure
Elastic issued security updates for *Elasticsearch* and *Kibana* (8.19.10, 9.1.10, 9.2.4) to address multiple vulnerabilities, including two high-severity issues with significant data-exposure risk. In Kibana, **CVE-2026-0532** (CVSS 8.6) affects the **Google Gemini connector** and combines *SSRF* with *external control of file name/path* to enable **arbitrary file disclosure** and arbitrary outbound network requests via a specially crafted `credentials` JSON payload; exploitation requires authenticated access with privileges to create or modify connectors. Elasticsearch addressed an **information disclosure** flaw in the **yawkat LZ4 Java** decompressor (**CVE-2025-66566**) that can leak prior buffer contents when an attacker sends specially crafted compressed input over the transport layer; affected versions span 7.14.0–7.17.29, 8.0.0–8.19.9, and 9.0.0–9.2.3. Elastic recommended upgrading to the fixed releases and provided mitigations for those unable to patch immediately, including switching `transport.compression_scheme` to `deflate` or disabling transport compression (`transport.compress: false`), while Kibana users can mitigate by disabling the vulnerable connector type via `xpack.actions.enabledActionTypes` configuration; Elastic Cloud Serverless was reported as remediated prior to public disclosure.
1 months ago