CVE-2026-20251— Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway
Possible ATT&CK Techniques 3AI
T1078 · Valid Accounts T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 11
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Splunk | Splunk Cloud Platform | 10.3.2512< 10.3.2512.12 | affected |
10.2.2510< 10.2.2510.14 | affected | ||
10.1.2507< 10.1.2507.22 | affected | ||
9.3.2411< 9.3.2411.132 | affected | ||
| Splunk | Splunk Enterprise | 10.2< 10.2.4 | affected |
10.0< 10.0.7 | affected | ||
9.4< 9.4.12 | affected | ||
9.3< 9.3.13 | affected | ||
| Splunk | Splunk Secure Gateway | 3.10< 3.10.6 | affected |
3.9< 3.9.20 | affected | ||
3.8< 3.8.67 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-20251
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway
Source: NVD (National Vulnerability Database)
Vulnerability Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
可信数据的反序列化
Source: NVD (National Vulnerability Database)
Vulnerability Title
Splunk多款产品 代码问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Splunk等都是美国Splunk公司的产品。Splunk是一套数据收集分析软件。Splunk Cloud Platform是一个强大的数据收集、处理和分析服务。Splunk Enterprise是一套数据收集分析软件。 Splunk多款产品存在代码问题漏洞,该漏洞源于通过jsonpickle Python库对App Key Value Store数据进行不安全反序列化,可能导致低权限用户进行远程代码执行。以下产品及版本受到影响:Splunk Enterprise 10.2.4之前版本、10.0.7之前版
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Splunk | Splunk Enterprise | 10.2 ~ 10.2.4 | - | |
| Splunk | Splunk Cloud Platform | 10.3.2512 ~ 10.3.2512.12 | - | |
| Splunk | Splunk Secure Gateway | 3.10 ~ 3.10.6 | - |
II. Public POCs for CVE-2026-20251
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-20251
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-20251 (1)
Same Patch Batch · Splunk · 2026-06-10 · 10 CVEs total
| CVE-2026-20253 | 9.8 CRITICAL | Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service End |
| CVE-2026-20252 | 7.6 HIGH | Server-Side Request Forgery (SSRF) through Dashboard Studio PDF Export in Splunk Enterpris |
| CVE-2026-20258 | 7.1 HIGH | Stored Cross-Site Scripting (XSS) through Classic Dashboard in Splunk Enterprise |
| CVE-2026-20254 | 5.7 MEDIUM | Information Disclosure through External Content Restriction Bypass in Splunk Enterprise |
| CVE-2026-20257 | 5.7 MEDIUM | Improper Input Validation through Classic Dashboard CSS in Splunk Enterprise |
| CVE-2026-20255 | 5.7 MEDIUM | Improper Input Validation through Classic Dashboards in Splunk Enterprise |
| CVE-2026-20256 | 5.7 MEDIUM | Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk En |
| CVE-2026-20259 | 5.5 MEDIUM | Improper Access Control in Splunk Enterprise |
| CVE-2026-20260 | 4.3 MEDIUM | Log Injection through HTTP Request Paths in Splunk SOAR |
IV. Related Vulnerabilities
Same product: Splunk Enterprise
- CVE-2026-20258
Stored Cross-Site Scripting (XSS) through Classic Dashboard - CVE-2026-20253
Unauthenticated Arbitrary File Creation and Truncation in a - CVE-2026-20252
Server-Side Request Forgery (SSRF) through Dashboard Studio - CVE-2026-20257
Improper Input Validation through Classic Dashboard CSS in S - CVE-2026-20259
Improper Access Control in Splunk Enterprise
Same vendor: Splunk
- CVE-2026-20266
OS Command Injection in the btool Configuration Helper in Sp - CVE-2026-20265
Insecure Default Domain Allowlist in Splunk AI Toolkit - CVE-2026-20258
Stored Cross-Site Scripting (XSS) through Classic Dashboard - CVE-2026-20260
Log Injection through HTTP Request Paths in Splunk SOAR - CVE-2026-20253
Unauthenticated Arbitrary File Creation and Truncation in a
Same weakness: CWE-502
- CVE-2025-27511
GeoServer DB2 DataStore Extension has a JNDI Vulnerability v - CVE-2026-8024
Deserialization vulnerability in ibaPDA and ibaDatCoordinato - CVE-2026-53805
NVIDIA SIL GEN3C Unauthenticated RCE via Pickle Deserializat - CVE-2026-53874
picklescan - Arbitrary Code Execution via Obfuscated eval Ca - CVE-2025-71321
picklescan - Arbitrary File Writing via distutils Module Byp
V. Comments for CVE-2026-20251
No comments yet