Cyber Posture

CVE-2026-20163

HighRCE

Published: 11 March 2026

Published
11 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0007 21.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-20163 is a high-severity Command Injection (CWE-77) vulnerability in Splunk Splunk Cloud Platform. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

Command injection in public Splunk REST endpoint directly enables exploitation of public-facing app (T1190) for arbitrary shell command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the…

more

`unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.

Deeper analysisAI

CVE-2026-20163 is a command injection vulnerability (CWE-77) affecting Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, as well as Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124. Published on 2026-03-11, the flaw resides in the `/splunkd/__upload/indexing/preview` REST endpoint, where the `unarchive_cmd` parameter enables execution of arbitrary shell commands by users holding roles with the high-privilege `edit_cmd` capability.

Exploitation requires a high-privilege account with the `edit_cmd` capability, accessible over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). Successful attacks yield high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 7.2.

Splunk advisory SVD-2026-0302 details mitigation, recommending upgrades to Splunk Enterprise 10.2.0, 10.0.4, 9.4.9, 9.3.10 or later, and Splunk Cloud Platform 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, 9.3.2411.124 or later to address the issue.

Details

CWE(s)
CWE-77

Affected Products

splunk
splunk
9.3.0 — 9.3.10 · 9.4.0 — 9.4.9 · 10.0.0 — 10.0.4
splunk
splunk cloud platform
9.3.2411 — 9.3.2411.124 · 10.0.2503 — 10.0.2503.12 · 10.1.2507 — 10.1.2507.16

CVEs Like This One

CVE-2026-20204Same product: Splunk Splunk
CVE-2025-20229Same product: Splunk Splunk
CVE-2025-20231Same product: Splunk Splunk
CVE-2026-2333Shared CWE-77
CVE-2024-55030Shared CWE-77
CVE-2025-60801Shared CWE-77
CVE-2025-24818Shared CWE-77
CVE-2025-22630Shared CWE-77
CVE-2025-52688Shared CWE-77
CVE-2025-60021Shared CWE-77

References