Description
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.
Published: 2026-03-11
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via REST endpoint
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows an authenticated user with the edit_cmd capability to execute arbitrary shell commands through the unarchive_cmd parameter of the /splunkd/__upload/indexing/preview REST endpoint. This results in full remote code execution on the Splunk platform, compromising confidentiality, integrity, and availability. The weakness is a command injection flaw, identified as CWE‑77.

Affected Systems

Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform releases older than 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124 are affected. Users who can grant themselves or others the edit_cmd capability are at risk.

Risk and Exploitability

The CVSS score of 8 indicates high severity. EPSS is reported to be below 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Once the edit_cmd privilege is available, the attacker can gain complete system compromise. Prevention hinges on applying the vendor's patch or removing the privileged capability.

Generated by OpenCVE AI on March 24, 2026 at 18:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to version 10.2.0 or newer, or to at least 10.0.4, 9.4.9, or 9.3.10, and upgrade Splunk Cloud Platform to at least 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, or 9.3.2411.124.
  • Verify that no user or role has the edit_cmd capability; if possible, revoke or reduce this privilege.
  • Monitor Splunk logs for attempts to access the /splunkd/__upload/indexing/preview endpoint and for suspicious command execution attempts.

Generated by OpenCVE AI on March 24, 2026 at 18:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Splunk splunk
CPEs cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*
cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*
Vendors & Products Splunk splunk

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.
Title Remote Command Execution (RCE) through the '/splunkd/__upload/indexing/preview' REST endpoint in Splunk Enterprise
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Splunk Splunk Splunk Cloud Platform Splunk Enterprise
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-03-12T13:23:31.857Z

Reserved: 2025-10-08T11:59:15.389Z

Link: CVE-2026-20163

cve-icon Vulnrichment

Updated: 2026-03-12T13:23:28.580Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T17:16:56.607

Modified: 2026-03-24T17:10:58.140

Link: CVE-2026-20163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:50:12Z

Weaknesses