Arbitrary Shell Exec via unarchive_cmd in Splunk Enterprise <10.2.0
CVE-2026-20163 Published on March 11, 2026
Remote Command Execution (RCE) through the '/splunkd/__upload/indexing/preview' REST endpoint in Splunk Enterprise
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.
Weakness Type
What is a Command Injection Vulnerability?
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CVE-2026-20163 has been classified to as a Command Injection vulnerability or weakness.
Products Associated with CVE-2026-20163
stack.watch emails you whenever new vulnerabilities are published in Splunk or Splunk Cloud Platform. Just hit a watch button to start following.
Affected Versions
Splunk Enterprise:- Version 10.0 and below 10.0.4 is affected.
- Version 9.4 and below 9.4.9 is affected.
- Version 9.3 and below 9.3.10 is affected.
- Version 10.2.2510 and below 10.2.2510.5 is affected.
- Version 10.0.2503 and below 10.0.2503.12 is affected.
- Version 10.1.2507 and below 10.1.2507.16 is affected.
- Version 9.3.2411 and below 9.3.2411.124 is affected.