CVE-2026-20251: Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- 3.8.67
- Affected Products
- 3
HarborGuard Analysis
Synopsis
Unsafe deserialization of untrusted data in Splunk Secure Gateway allows a low-privileged authenticated user to execute arbitrary code on affected Splunk Enterprise and Splunk Cloud Platform instances. The vulnerability is reachable over the network and requires only a valid low-privilege account, with no additional user interaction needed. Successful exploitation gives the attacker full control over the host, including the ability to read, modify, or destroy data and disrupt service. Patched-image rebuilds at the fixed versions are available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-20251 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that bundle Splunk Enterprise, Splunk Cloud Platform components, or the Splunk Secure Gateway app. Coverage extends to any image layer that carries an affected version of these packages.
AvailableHarborGuard scores this CVE at CVSS 8.8 HIGH and surfaces it with that severity weighting inside each customer environment, applying per-environment compliance policy rules to prioritize and route findings to the appropriate team inbox. Triage views show the affected image layers, the precise version range, and the available fix versions to support rapid decision-making.
AvailablePatched-image rebuilds pinned to the fixed versions (Splunk Secure Gateway 3.8.67, 3.9.20, or 3.10.6; Splunk Enterprise 9.3.13 or above the relevant 10.x thresholds; Splunk Cloud Platform at the corresponding fixed builds) are available on HarborGuard for any environment running an affected image. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes for environments with auto-remediation enabled.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the Splunk Secure Gateway HTTP endpoint over the network; the service must be accessible from the attacker's position.
- AuthenticationRequired
A valid Splunk account is needed, but any low-privilege account is sufficient; the attacker does not need admin or power-user rights.
- Victim interactionNot required
No action by another user is needed; the attacker triggers the deserialization directly by sending a crafted request.
- Attack complexityDetail
Exploit complexity is low: no race conditions or special environmental factors are required, and a crafted JSON payload reliably triggers unsafe deserialization via the jsonpickle library.
Blast Radius
- The attacker achieves remote code execution and gains the ability to run arbitrary operating system commands on the host running Splunk.
- All data indexed in Splunk, including logs, events, and KV Store contents, becomes readable by the attacker, exposing potentially sensitive operational and security telemetry.
- The attacker can modify or delete indexed data, KV Store records, and Splunk configuration, corrupting the integrity of the monitoring environment.
- The attacker can crash or destabilize the Splunk service, disrupting log ingestion and alerting pipelines that depend on it.
How HarborGuard Handles This
Available on HarborGuard: detection of this CVE is matched against customer images within minutes of advisory ingestion, covering all affected version ranges across Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app. For environments running an affected image, patched rebuilds at the fixed versions are available immediately. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image at the appropriate fixed version, runs a regression test suite, and opens a pull request against affected workloads; for high-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding is routed to the team inbox with full CVSS context, affected layer details, and fix-version guidance to support manual remediation. Given the low authentication bar for this exploit, prioritizing affected internet-facing or internally shared Splunk deployments is advisable; network policy controls that restrict access to the Secure Gateway endpoint to known trusted source ranges can reduce exposure while patching is scheduled.
Fix available
- Splunk / Splunk Enterprise< 10.2.4 (from 10.2) · < 10.0.7 (from 10.0) · < 9.4.12 (from 9.4) · < 9.3.13 (from 9.3)
- Splunk / Splunk Cloud Platform< 10.3.2512.12 (from 10.3.2512) · < 10.2.2510.14 (from 10.2.2510) · < 10.1.2507.22 (from 10.1.2507) · < 9.3.2411.132 (from 9.3.2411)
- Splunk / Splunk Secure Gateway< 3.10.6 (from 3.10) · < 3.9.20 (from 3.9) · < 3.8.67 (from 3.8)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H