Remote Command Execution (RCE) through the '/splunkd/__upload/indexing/preview' REST endpoint in Splunk Enterprise
Advisory ID: SVD-2026-0302
CVE ID: CVE-2026-20163
Published: 2026-03-11
Last Update: 2026-03-11
CVSSv3.1 Score: 8.0, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Bug ID: VULN-17049
Description
In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability edit_cmd could execute arbitrary shell commands using the unarchive_cmd parameter for the /splunkd/__upload/indexing/preview REST endpoint.
This occurs because of insufficient input sanitization when previewing uploaded files before indexing them.
See Define roles on the Splunk platform with capabilities and props.conf for more information.
Solution
Upgrade Splunk Enterprise to versions 10.2.0, 10.0.4, 9.4.9, 9.3.10, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.2 | REST API | Not affected | 10.2.0 |
| Splunk Enterprise | 10.0 | REST API | 10.0.0 to 10.0.3 | 10.0.4 |
| Splunk Enterprise | 9.4 | REST API | 9.4.0 to 9.4.8 | 9.4.9 |
| Splunk Enterprise | 9.3 | REST API | 9.3.0 to 9.3.9 | 9.3.10 |
| Splunk Cloud Platform | 10.2.2510 | REST API | Below 10.2.2510.5 | 10.2.2510.5 |
| Splunk Cloud Platform | 10.0.2503 | REST API | Below 10.0.2503.12 | 10.0.2503.12 |
| Splunk Cloud Platform | 10.1.2507 | REST API | Below 10.1.2507.16 | 10.1.2507.16 |
| Splunk Cloud Platform | 9.3.2411 | REST API | Below 9.3.2411.24 | 9.3.2411.124 |
Mitigations and Workarounds
If it isn’t currently possible to upgrade to a fixed version of Splunk Enterprise, remove the high-privilege capability edit_cmd from the role to remedy the problem.
See Define roles on the Splunk platform with capabilities.
Detections
None
Severity
Splunk rates this vulnerability an 8.0, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Danylo Dmytriiev (DDV_UA)
Gabriel Nitu, Splunk
James Ervin, Splunk