Description
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.
Published: 2026-06-10
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A low‑privileged user who does not have the ‘admin’ or ‘power’ roles can leverage an unsafe deserialization flaw in the Splunk Secure Gateway app to execute arbitrary code. The vulnerability is caused by the jsonpickle Python library reconstructing Python objects from specially crafted JSON without adequate validation, allowing an attacker to inject malicious code into the App Key Value Store (KV Store).

Affected Systems

The flaw affects Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, as well as Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and while the EPSS score is not available, the vulnerability can be exploited by a legitimate user with limited privileges, suggesting a wide attack surface within the organization. As the vulnerability is listed as not part of the CISA KEV catalogue, it may not yet have widespread exploitation, but the nature of the RCE capability makes it a critical risk for any affected Splunk deployment.

Generated by OpenCVE AI on June 10, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Splunk Enterprise to version 10.2.4 or later, Splunk Cloud Platform to version 10.3.2512.12 or later, or Splunk Secure Gateway to version 3.10.6 or later.
  • Apply the vendor‑provided security patch if available; if an upgrade is not immediately possible, reposition the KV Store to a secured, read‑only data source and remove any custom deserialization logic using jsonpickle.
  • Revoke or restrict the use of the ‘admin’ and ‘power’ roles to only those users that absolutely require them and audit low‑privileged user actions for anomalous JSON payload submission.

Generated by OpenCVE AI on June 10, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Splunk splunk Secure Gateway
Vendors & Products Splunk
Splunk splunk Cloud Platform
Splunk splunk Enterprise
Splunk splunk Secure Gateway

Wed, 10 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.
Title Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Splunk Splunk Cloud Platform Splunk Enterprise Splunk Secure Gateway
cve-icon MITRE

Status: PUBLISHED

Assigner: cisco

Published:

Updated: 2026-06-10T18:26:16.204Z

Reserved: 2025-10-08T11:59:15.401Z

Link: CVE-2026-20251

cve-icon Vulnrichment

Updated: 2026-06-10T18:26:08.626Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-10T18:16:40.477

Modified: 2026-06-10T18:36:19.463

Link: CVE-2026-20251

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:00:16Z

Weaknesses