High

Remote Command Execution in Splunk upload preview unarchive_cmd

IdentifiersCVE-2026-20163CWE-77· Improper Neutralization of Special…

CVE-2026-20163 is a remote command execution vulnerability in Splunk Enterprise and Splunk Cloud Platform. The issue affects Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124. The vulnerable functionality is the /splunkd/__upload/indexing/preview REST endpoint, where the unarchive_cmd parameter can be abused. Due to insufficient input sanitization / improper neutralization of special elements in this parameter during preview of uploaded files before indexing, a user with a role containing the high-privilege edit_cmd capability can inject and execute arbitrary shell commands on the underlying host operating system.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary shell command execution on the Splunk host, which can result in full compromise of the affected server depending on the privileges of the Splunk service account and host configuration. This may enable takeover of the underlying system, unauthorized access to data processed by Splunk, modification of configurations or indexed content, installation of persistence mechanisms, and use of the compromised host for further lateral movement.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, remove the edit_cmd capability from all user roles that do not strictly require it, as exploitation requires a role containing this high-privilege capability. Restrict access to the /splunkd/__upload/indexing/preview functionality to the minimum necessary set of trusted administrators, review role assignments for excessive privileges, and monitor for suspicious use of the unarchive_cmd parameter and upload preview operations until upgrades are completed.

Remediation

Patch, then assume compromise.

Upgrade Splunk Enterprise to a fixed release: 10.2.0 or later, 10.0.4 or later, 9.4.9 or later, or 9.3.10 or later, as appropriate for the deployed branch. For Splunk Cloud Platform, fixed builds are 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124 or later; Splunk indicated it is monitoring and patching affected cloud instances. Validate that no affected instances remain on vulnerable builds after maintenance.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SplunkSplunkapplication

SplunkSplunk Cloud Platformapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

10 SOURCESView more in app

cyber security newsNews

Mar 12, 2026

Splunk RCE Vulnerability Allows Attackers to Execute Arbitrary Shell Commands

A high-severity remote command execution vulnerability in Splunk Enterprise and Splunk Cloud Platform caused by improper sanitization of user-controlled input (CWE-77) in the file upload preview/indexing REST API endpoint, enabling arbitrary shell command execution when a user has the high-privilege edit_cmd capability.

sdxcentral cybersecurityNews

Oct 30, 2025

Splunk suite at threat from remote code execution - SDxCentral

A remote command execution vulnerability in Splunk Enterprise and Splunk Cloud Platform caused by insufficient input sanitization in the upload preview interface's unarchive option, allowing arbitrary shell commands on the host OS.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-20163

NVD

nvd.nist.gov/vuln/detail/CVE-2026-20163

MITRE CWE · CWE-77

Improper Neutralization of Special Elements…

Vendor Advisory

advisory.splunk.com/advisories/SVD-2026-0302