CVE-2026-20163
Published: 11 March 2026
Summary
CVE-2026-20163 is a high-severity Command Injection (CWE-77) vulnerability in Splunk Splunk Cloud Platform. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-20163 is a command injection vulnerability (CWE-77) affecting Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, as well as Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124. Published on 2026-03-11, the flaw resides in the `/splunkd/__upload/indexing/preview` REST endpoint, where the `unarchive_cmd` parameter enables execution of arbitrary shell commands by users holding roles with the high-privilege `edit_cmd` capability.
Exploitation requires a high-privilege account with the `edit_cmd` capability, accessible over the network (AV:N) with low attack complexity (AC:L), no user interaction (UI:N), and unchanged scope (S:U). Successful attacks yield high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 7.2.
Splunk advisory SVD-2026-0302 details mitigation, recommending upgrades to Splunk Enterprise 10.2.0, 10.0.4, 9.4.9, 9.3.10 or later, and Splunk Cloud Platform 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, 9.3.2411.124 or later to address the issue.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11229
Vulnerability details
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the…
more
`unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in public Splunk REST endpoint directly enables exploitation of public-facing app (T1190) for arbitrary shell command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks command injection by requiring validation/sanitization of the unarchive_cmd parameter before it reaches the shell.
Restricts assignment of the high-privilege edit_cmd capability to only those roles that absolutely require it, reducing the population able to reach the vulnerable endpoint.
Mandates prompt application of the vendor patches that remove the flawed unarchive_cmd handling in the /splunkd/__upload/indexing/preview endpoint.