CVE-2026-20163

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.2.0, 10.0.4, 9.4.9, and 9.3.10 Splunk Cloud Platform versions prior to 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124

Description A user with a role containing the edit cmd capability can execute arbitrary shell commands. This is possible through the unarchive cmd parameter of the /splunkd/ upload/indexing/preview REST endpoint. The issue stems from inadequate input sanitization, allowing for remote command execution.

Recommendations Update Splunk Enterprise to version 10.2.0 or later. Update Splunk Cloud Platform to version 10.2.2510.5 or later. Remove the edit cmd capability from user roles if an immediate update is not possible.