Splunk Secure Gateway RCE via Unsafe Deserialization (jsonpickle) <3.10.6: CVE-2026-20251 June 2026

Splunk Secure Gateway RCE via Unsafe Deserialization (jsonpickle) <3.10.6
CVE-2026-20251 Published on June 10, 2026

Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the jsonpickle Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2026-20251 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.

Products Associated with CVE-2026-20251

Want to know whenever a new CVE is published for Splunk products? stack.watch will email you.

Affected Versions

Version 10.2 and below 10.2.4 is affected.

Version 10.0 and below 10.0.7 is affected.

Version 9.4 and below 9.4.12 is affected.

Version 9.3 and below 9.3.13 is affected.

Version 10.3.2512 and below 10.3.2512.12 is affected.

Version 10.2.2510 and below 10.2.2510.14 is affected.

Version 10.1.2507 and below 10.1.2507.22 is affected.

Version 9.3.2411 and below 9.3.2411.132 is affected.

Version 3.10 and below 3.10.6 is affected.

Version 3.9 and below 3.9.20 is affected.

Version 3.8 and below 3.8.67 is affected.

Exploit Probability

EPSS

0.58%

Percentile

42.86%