Splunk RCE Vulnerability Allows Attackers to Execute Arbitrary Shell Commands

Splunk RCE Vulnerability A serious security advisory has been sent out to let users know about a high-severity flaw that affects both Enterprise and Cloud platforms. This flaw, which is known as CVE-2026-20163, has a CVSS score of 8.0. It lets attackers do Remote Command Execution (RCE) on systems they want to attack.

The flaw is caused by the system not properly handling user inputs when it previews uploaded files before indexing them. While the flaw requires the attacker to have high-level privileges, a successful exploit could allow a malicious user to take control of the underlying host server. Splunk RCE Vulnerability The main problem is classified as CWE-77, which means that special elements used in a command were not properly neutralized.

The REST API part of Splunk has a security hole that affects the /splunkd/__upload/indexing/preview endpoint. For an attacker to take advantage of this flaw, they need to already have a user role that gives them the ability to edit_cmd with high privileges. If this condition is met, the attacker can change the unarchive_cmd parameter while the file upload preview is happening.

The attacker can easily inject and run any shell command directly on the server because the system doesn't clean up this input properly. This security hole was responsibly reported, and Danylo Dmytriiev (DDV_UA), along with Splunk internal team members Gabriel Nitu and James Ervin, were given credit for it. The flaw affects a number of recent versions of Splunk's software. Administrators should check their deployments against the following affected releases.

Versions that are affected are Enterprise 10.0.0–10.0.3, 9.4.0–9.4.8, 9.3.0–9.3.9, and Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.12, and 9.3.2411.124. This flaw does not affect the base version of Splunk Enterprise 10.2. Splunk is also actively watching and applying patches directly to Cloud Platform instances that are affected.

To keep your infrastructure safe from possible attacks, Splunk strongly suggests that you fix this security hole right away with updates or temporary fixes. Upgrade Splunk Enterprise: Administrators should install fixed versions 10.2.0, 10.0.4, 9.4.9, 9.3.10, or higher on their systems. Use workarounds: If you can't upgrade right away, you can lower the risk by taking away the high-privilege edit_cmd ability from all user roles. This breaks the exploit chain by not giving the permissions needed to run the bad command.

There are currently no specific threat detection signatures for this vulnerability, so it's very important to patch it quickly and manage user privileges carefully., LinkedIn, and X for daily news about cybersecurity. Get in touch with us to have your stories featured.