HIGHCVE-2026-20163Published 2026-03-11Modified 2026-03-12CNA cisco

CVE-2026-20163: Remote Command Execution (RCE) through the '/splunkd/__upload/indexing/preview' REST endpoint in Splunk Enterprise

In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: 9.3.10
Affected Products: 2

Fix available

9.3.109.3.2411.1249.4.910.0.410.0.2503.1210.1.2507.1610.2.2510.5

Affected packages

Splunk / Splunk Enterprise
< 10.0.4 (from 10.0) · < 9.4.9 (from 9.4) · < 9.3.10 (from 9.3)
Splunk / Splunk Cloud Platform
< 10.2.2510.5 (from 10.2.2510) · < 10.0.2503.12 (from 10.0.2503) · < 10.1.2507.16 (from 10.1.2507) · < 9.3.2411.124 (from 9.3.2411)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

advisory.splunk.com

Metrics

Fix available