CVE-2026-20251

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.2.4 Splunk Enterprise versions prior to 10.0.7 Splunk Enterprise versions prior to 9.4.12 Splunk Enterprise versions prior to 9.3.13 Splunk Cloud Platform versions prior to 10.3.2512.12 Splunk Cloud Platform versions prior to 10.2.2510.14 Splunk Cloud Platform versions prior to 10.1.2507.22 Splunk Cloud Platform versions prior to 9.3.2411.132 Splunk Secure Gateway versions prior to 3.10.6 Splunk Secure Gateway versions prior to 3.9.20 Splunk Secure Gateway versions prior to 3.8.67

Description A low-privileged user without 'admin' or 'power' roles can achieve Remote Code Execution (RCE) through the Splunk Secure Gateway app. This is caused by unsafe deserialization of App Key Value Store (KV Store) data using the jsonpickle Python library, which allows the reconstruction of arbitrary Python objects from specially crafted JSON without sufficient validation.

Recommendations Update Splunk Enterprise to versions 10.2.4, 10.0.7, 9.4.12, or 9.3.13 depending on the current release track. Update Splunk Cloud Platform to versions 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, or 9.3.2411.132 depending on the current release track. Update Splunk Secure Gateway to versions 3.10.6, 3.9.20, or 3.8.67 depending on the current release track.