Critical OS Command Injection Patched in Splunk AI Toolkit
Splunk disclosed a critical vulnerability in Splunk AI Toolkit that allows OS command injection through the btool Configuration Helper, affecting versions earlier than 5.7.4. Tracked as CVE-2026-20266 and rated CVSS 9.1, the flaw stems from unsafe shell execution that can let a user with the Splunk admin role run arbitrary commands on the host running Splunk Enterprise, creating a direct path to host compromise.
Splunk also fixed CVE-2026-20265, a lower-severity insecure default domain allowlist issue rated CVSS 4.3 that could allow a low-privileged user to trigger outbound HTTP requests and potentially exfiltrate data to an attacker-controlled server. The Canadian Centre for Cyber Security highlighted the vendor advisory in AV26-614 and urged administrators to review Splunk’s guidance and upgrade to version 5.7.4 or later; public reporting said there was no confirmed exploitation in the wild at disclosure time.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Atlassian publishes 100 security bulletins for Data Center and Server products
On 2026-06-18, Atlassian announced security updates covering dozens of vulnerabilities across multiple Data Center and Server products, largely tied to third-party dependencies such as Axios, Apache Tomcat, and Netty. The company addressed several critical-severity CVEs through product updates and urged users to upgrade promptly.
Canadian Centre for Cyber Security issues advisory AV26-614
On 2026-06-17, the Canadian Centre for Cyber Security published advisory AV26-614 highlighting Splunk's security update, including the critical Splunk AI Toolkit issue. The advisory urged users and administrators to review Splunk's advisories and apply the necessary updates.
Splunk discloses Splunk AI Toolkit vulnerabilities and releases version 5.7.4
On 2026-06-17, Splunk published security advisories for vulnerabilities in Splunk AI Toolkit, including CVE-2026-20266, a critical OS command injection flaw in the btool Configuration Helper affecting versions earlier than 5.7.4. The advisories indicate the issues are fixed in version 5.7.4 and users should apply the update.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Atlassian, Splunk Patch Critical Vulnerabilities - SecurityWeek
securityweek.com
Open sourceSplunk AI Toolkit Vulnerability Enables Arbitrary OS Command Execution Attacks
cybersecuritynews.com
Open sourceSplunk security advisory (AV26-614) - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceSplunk AI Toolkit Vulnerabilities: Critical RCE & Data Risks
securityonline.info
Open sourceSplunk security advisory (AV26-614) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSVD-2026-0614 | Splunk Vulnerability Disclosure
advisory.splunk.com
Open sourceCVE-2026-20266 - OS Command Injection in the btool Configuration Helper in Splunk AI Toolkit
cvefeed.io
Open sourceSVD-2026-0614 | Splunk Vulnerability Disclosure
advisory.splunk.com
Open sourceCVE Record: CVE-2026-20266
cve.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Splunk fixes flaws exposing internal data and enabling denial of service
Splunk released patches for three vulnerabilities affecting **Splunk Enterprise**, **Splunk Cloud Platform**, and the **Splunk AI Toolkit**, including a high-severity denial-of-service bug and two issues that can expose sensitive data. `CVE-2026-20240` affects the `splunk_archiver` app, where a low-privileged user can abuse the `coldToFrozen.sh` script to rename critical directories and render an instance inoperable. `CVE-2026-20239` stems from improper output sanitization in the TcpChannel component and can leak session cookies and cleartext HTTP response bodies into the `_internal` log index, while `CVE-2026-20238` is an access-control weakness in the Splunk AI Toolkit that can bypass intended search restrictions and expose restricted data. Splunk said the issues were fixed in updated releases, including **AI Toolkit 5.7.3** for `CVE-2026-20238`, and urged customers to upgrade affected deployments. The company also published interim mitigations for organizations that cannot patch immediately, including restricting access to the `_internal` index to administrators, disabling the **Splunk Archiver** application, reviewing inherited roles and permissions, and removing the problematic `srchFilter` entry from local configuration where applicable. The advisories highlight risks to both platform availability and the confidentiality of operational data stored in Splunk environments.
May 25, 2026
Critical Splunk Enterprise Flaw Exposes Pre-Auth File Write and RCE Path
Splunk issued urgent fixes for **CVE-2026-20253**, a critical `CVSS 9.8` vulnerability in **Splunk Enterprise** that allows unauthenticated arbitrary file creation and truncation through a PostgreSQL sidecar service endpoint missing authentication controls. The flaw affects supported Splunk Enterprise releases prior to **10.4.0**, **10.2.4**, **10.0.7**, **9.4.12**, and **9.3.13** depending on branch, and Splunk said **Splunk Cloud is not affected** because it does not use Postgres sidecars. Splunk and national cyber authorities urged administrators to apply updates immediately, noting that no vendor detections or workarounds were initially available for the core issue. Public technical analysis from watchTowr Labs showed the bug can be reached through Splunk Web on port `8000`, which proxies requests to localhost-only PostgreSQL recovery endpoints, enabling attackers to abuse `/v1/postgres/recovery/backup` and `/restore` for filesystem access. Researchers demonstrated a full pre-auth exploitation chain that used path traversal, PostgreSQL connection-string injection, local `.pgpass` credentials, and PostgreSQL large-object export to gain arbitrary file write as the `splunk` user, then overwrite a Splunk Python script to achieve remote code execution. Splunk also disclosed additional Enterprise flaws including **CVE-2026-20251** (`CVSS 8.8`) in the Splunk Secure Gateway app due to unsafe `jsonpickle` deserialization, plus stored XSS and SSRF issues, prompting guidance to patch quickly, restrict dashboard creation and web exposure, and disable or remove vulnerable components where immediate upgrades are not possible.
Jun 19, 2026
Splunk RCE via `/splunkd/__upload/indexing/preview` and `unarchive_cmd` (CVE-2026-20163)
Splunk disclosed a high-severity **remote command execution (RCE)** vulnerability, **CVE-2026-20163** (CVSS **8.0**), affecting *Splunk Enterprise* and *Splunk Cloud Platform*. The issue is a **command injection** weakness (CWE-77) in the REST endpoint `/splunkd/__upload/indexing/preview`, where user-controlled input is insufficiently sanitized during the “uploaded file preview before indexing” workflow. Exploitation requires an authenticated user whose role includes the high-privilege capability `edit_cmd`; under that condition, an attacker can abuse the `unarchive_cmd` parameter to execute arbitrary shell commands on the underlying host. Reported affected versions include Splunk Enterprise **10.0.0–10.0.3**, **9.4.0–9.4.8**, and **9.3.0–9.3.9**, plus Splunk Cloud Platform versions below **10.2.2510.5**, **10.1.2507.16**, **10.0.2503.12**, and **9.3.2411.124**; fixed thresholds are Enterprise **10.0.4**, **9.4.9**, **9.3.10**, and **10.2.0** (with the base Enterprise **10.2** release noted as not affected). The disclosure credits researcher **Danylo Dmytriiev (DDV_UA)** along with Splunk personnel **Gabriel Nitu** and **James Ervin**.
Mar 21, 2026