High

A critical security advisory has been released for Splunk, highlighting a high-severity Remote Command Execution (RCE) vulnerability tracked as CVE-2026-20163, with a CVSS score of high. This flaw affects both Enterprise and Cloud deployments and stems from improper handling of user inputs when the system previews uploaded files before indexing. While exploitation requires an attacker to hold high-level privileges, a successful attack could allow full control of the underlying host server.

The core vulnerability, classified under CWE-77, exists in the REST API component, specifically targeting the /splunkd/__upload/indexing/preview endpoint. An attacker with a user role that includes the edit_cmd capability can manipulate the unarchive_cmd parameter during file upload previews. Due to insufficient input sanitization, arbitrary shell commands can be injected and executed directly on the server, creating a severe risk to affected systems.

This security flaw was responsibly disclosed by researcher along with Splunk team members. It impacts multiple recent Splunk releases, including Enterprise versions 10.0.0–10.0.3, 9.4.0–9.4.8, 9.3.0–9.3.9, and Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.12, and 9.3.2411.124. Notably, the base Splunk Enterprise 10.2 release is unaffected, and Splunk is actively patching affected Cloud instances.

To mitigate the risk, Splunk strongly recommends immediate upgrades to fixed versions: 10.2.0, 10.0.4, 9.4.9, 9.3.10, or higher. If an immediate upgrade is not possible, administrators should remove the edit_cmd capability from all user roles, breaking the exploit chain. No specific threat detection signatures are currently available, making proactive patching and strict privilege management the most effective defense against potential exploitation.