Cyber Resilience

CVE-2026-20163

HighRCE

Published: 11 March 2026

Published
11 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0008 22.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20163 is a high-severity Command Injection (CWE-77) vulnerability in Splunk Splunk Cloud Platform. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-20163 is a command injection vulnerability (CWE-77) affecting Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, as well as Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124. Published on 2026-03-11, the flaw resides in the `/splunkd/__upload/indexing/preview` REST endpoint, where the `unarchive_cmd` parameter enables execution of arbitrary shell commands by users holding roles with the high-privilege `edit_cmd` capability.

Exploitation requires a high-privilege account with the `edit_cmd` capability, accessible over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). Successful attacks yield high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 7.2.

Splunk advisory SVD-2026-0302 details mitigation, recommending upgrades to Splunk Enterprise 10.2.0, 10.0.4, 9.4.9, 9.3.10 or later, and Splunk Cloud Platform 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, 9.3.2411.124 or later to address the issue.

EU & UK References

Vulnerability details

In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the…

more

`unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection in public Splunk REST endpoint directly enables exploitation of public-facing app (T1190) for arbitrary shell command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20204Same product: Splunk Splunk
CVE-2025-20229Same product: Splunk Splunk
CVE-2026-20239Same product: Splunk Splunk
CVE-2025-20231Same product: Splunk Splunk
CVE-2025-67397Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2025-9223Shared CWE-77
CVE-2026-8431Shared CWE-77
CVE-2026-44869Shared CWE-77

Affected Assets

splunk
splunk
9.3.0 — 9.3.10 · 9.4.0 — 9.4.9 · 10.0.0 — 10.0.4
splunk
splunk cloud platform
9.3.2411 — 9.3.2411.124 · 10.0.2503 — 10.0.2503.12 · 10.1.2507 — 10.1.2507.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks command injection by requiring validation/sanitization of the unarchive_cmd parameter before it reaches the shell.

prevent

Restricts assignment of the high-privilege edit_cmd capability to only those roles that absolutely require it, reducing the population able to reach the vulnerable endpoint.

prevent

Mandates prompt application of the vendor patches that remove the flawed unarchive_cmd handling in the /splunkd/__upload/indexing/preview endpoint.

References