MDR
Solutions
Partners
About
Resources
Affected Environment
Splunk Enterprise versions 9.3, 9.4 and 10.0 using the REST API are exposed. Splunk Cloud Platform below 10.2.2510.5 is also affected by this RCE flaw.
Threat Overview
CVE-2026-20163 is a high‑severity RCE in Splunk REST API file upload preview. If abused, it can allow arbitrary shell command execution on Splunk hosts.
Exposure Timeline
The issue and vendor advisory were published on 12 March 2026. No exploitation reports or public proof-of-concept are available yet.
Attack Surface
Exposure exists where the /splunkd/__upload/indexing/preview endpoint is reachable. Risk is limited to environments where users can upload files for preview.
Technical Root Cause
The unarchive_cmd parameter in the preview process does not strictly sanitize input. This weak validation allows injection of shell commands into upload handling.
Exploitation Pathway
An authenticated user with edit_cmd privileges uploads crafted content to Splunk. During preview, injected commands may execute on the underlying OS.
Operational Impact
Successful exploitation can provide full control over affected Splunk servers. Attackers could then alter logs, pivot to other systems, or disrupt monitoring.
Strategic Impact
Compromise of Splunk threatens integrity of security monitoring and log data. Trust in audit trails and incident detection may be reduced until remediated.
Required Mitigation
Upgrade Splunk Enterprise 10.0 to 10.0.4, 9.4 to 9.4.9, and 9.3 to 9.3.10. Ensure Splunk Cloud Platform instances are on at least 10.2.2510.5.
Incident Response Guidance
Confirm current Splunk versions and check for unpatched REST API instances. Review admin accounts with edit_cmd, and monitor for unusual file uploads.
References
Vendor advisory: Splunk SVD-2026-0302 provides official details and fixes. See https://advisory.splunk.com/advisories/SVD-2026-0302 for full guidance.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)