Remote Code Execution Vulnerability in Splunk Secure Gateway
Severity: High (Score: 70.5)
Sources: Advisory.Splunk, Cvefeed, www.cve.org
Published: · Updated:
Keywords: splunk, versions, below, secure, gateway, enterprise, cloud
Severity indicators: CVE:CVE-2026-20251, CVE:CVE-2026-20251
Summary
A critical vulnerability (CVE-2026-20251) has been identified in Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway, allowing low-privileged users to execute remote code. This vulnerability arises from unsafe deserialization of App Key Value Store data via the 'jsonpickle' Python library. Affected versions include Splunk Enterprise below 10.2.4 and Splunk Cloud Platform below 10.3.2512.12. Splunk has rated this vulnerability as high severity (8.8) and recommends upgrading to the latest versions or removing the Splunk Secure Gateway app. The vulnerability was published on June 10, 2026, and poses a significant risk if not addressed promptly. Organizations are advised to monitor their systems and apply necessary updates or mitigations immediately. Key Points: • CVE-2026-20251 allows remote code execution for low-privileged users in Splunk products. • Affected versions include Splunk Enterprise below 10.2.4 and Splunk Cloud Platform below 10.3.2512.12. • Splunk rates this vulnerability as high severity (8.8) and recommends immediate action.
Detailed Analysis
**Impact** Low-privileged users without ‘admin’ or ‘power’ roles in affected Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway versions can execute arbitrary code remotely. This vulnerability potentially compromises confidentiality, integrity, and availability of systems relying on these products. No specific sectors, geographies, or numbers of affected deployments are provided in the sources. **Technical Details** The vulnerability (CVE-2026-20251) arises from unsafe deserialization of App Key Value Store data via the ‘jsonpickle’ Python library, allowing reconstruction of arbitrary Python objects from crafted JSON. Exploitation requires low-privileged access and targets Splunk versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13 for Enterprise; below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132 for Cloud Platform; and below 3.10.6, 3.9.20, and 3.8.67 for Secure Gateway. The attack fits within the execution phase of the kill chain. No IOCs or malware/tool names are mentioned. **Recommended Response** Apply patches upgrading to Splunk Enterprise versions 10.4.0, 10.2.4, 10.0.7, 9.4.12, or 9.3.13 and ensure Splunk Cloud Platform instances are updated as per vendor guidance. Disable or remove the Splunk Secure Gateway app if not required, noting dependencies on Splunk Mobile, Spacebridge, and Mission Control. Monitor for unusual activity involving deserialization processes or unauthorized code execution attempts. No specific detection signatures or IOCs are provided.
Source articles (3)
- Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway — Advisory.Splunk · 2026-06-10
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versi… - CVE-2026-20251 — Cvefeed · 2026-06-11
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versi… - CVE-2026-20251 — www.cve.org · 2026-06-10
Timeline
- 2026-06-10 — CVE-2026-20251 published: Splunk disclosed a remote code execution vulnerability affecting multiple versions of its products.
CVEs
Related entities
- Remote Code Execution (Attack Type)
- Zero-day Exploit (Attack Type)
- Cwe-502 - Deserialization Of Untrusted Data (Cwe)
- cvefeed.io (Domain)
- Splunk (Platform)
- Jsonpickle (Tool)