CVE-2026-20163 in Splunk
Summary
by MITRE • 03/11/2026
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/14/2026
This vulnerability exists within Splunk Enterprise and Splunk Cloud Platform products where a privileged user with the specific high-privilege capability edit_cmd can exploit a command injection flaw in the indexing preview upload endpoint. The vulnerability specifically affects versions prior to the mentioned secure releases, creating a critical security risk that allows for arbitrary code execution on the affected systems. The flaw resides in the handling of the unarchive_cmd parameter within the /splunkd/__upload/indexing/preview REST API endpoint, which fails to properly sanitize user-supplied input before executing system commands. This represents a classic command injection vulnerability that can be leveraged by attackers who have already gained access to a user account with sufficient privileges to utilize the edit_cmd capability.
The technical implementation of this vulnerability stems from inadequate input validation and sanitization within the Splunk platform's upload processing functionality. When a user submits data through the indexing preview upload endpoint with a maliciously crafted unarchive_cmd parameter, the system directly incorporates this input into shell execution commands without proper escaping or filtering mechanisms. This allows an attacker to inject additional commands that will be executed with the privileges of the Splunk service account, potentially leading to complete system compromise. The vulnerability is particularly concerning because it requires only a user with edit_cmd capability rather than administrative privileges, making it accessible to users who should normally have restricted permissions within the platform. The attack vector is facilitated through the REST API interface, which means that exploitation can occur remotely without requiring physical access to the system.
The operational impact of this vulnerability is severe and multifaceted across enterprise security environments. Successful exploitation enables attackers to execute arbitrary shell commands with the privileges of the Splunk service account, potentially leading to complete system compromise, data exfiltration, or lateral movement within the network. Organizations using affected Splunk versions face significant risk of unauthorized access to their monitoring and security data, which could result in the exposure of sensitive operational information, compliance violations, and disruption of critical security operations. The vulnerability also undermines the principle of least privilege since it allows users with relatively modest permissions to escalate their access and execute system-level commands. Additionally, the impact extends beyond immediate system compromise as attackers could potentially use this capability to establish persistent backdoors, modify system configurations, or disable security controls within the Splunk environment.
Organizations should immediately implement mitigations including upgrading to the affected Splunk versions that contain the necessary security patches, which address the input validation issues in the indexing preview upload endpoint. The recommended remediation involves applying the vendor-provided security updates to all affected Splunk Enterprise and Splunk Cloud Platform installations. Network segmentation and access controls should be reinforced to limit the number of users with edit_cmd capabilities, ensuring that only trusted administrators possess these high-privilege permissions. Monitoring should be enhanced to detect unusual upload activities or command execution patterns within the Splunk environment. Security teams should also consider implementing additional controls such as restricting access to the affected REST endpoints through firewall rules or API gateways, and conducting thorough user access reviews to ensure appropriate privilege levels are maintained. This vulnerability aligns with CWE-77 and CWE-94 categories related to command injection and code injection flaws, and represents a technique commonly associated with the ATT&CK tactics of privilege escalation and execution through the use of legitimate system tools and interfaces.