{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20163", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "state": "PUBLISHED", "assignerShortName": "cisco", "dateReserved": "2025-10-08T11:59:15.389Z", "datePublished": "2026-03-11T16:18:26.857Z", "dateUpdated": "2026-03-12T13:23:31.857Z"}, "containers": {"cna": {"affected": [{"product": "Splunk Enterprise", "vendor": "Splunk", "versions": [{"version": "10.0", "status": "affected", "versionType": "custom", "lessThan": "10.0.4"}, {"version": "9.4", "status": "affected", "versionType": "custom", "lessThan": "9.4.9"}, {"version": "9.3", "status": "affected", "versionType": "custom", "lessThan": "9.3.10"}]}, {"product": "Splunk Cloud Platform", "vendor": "Splunk", "versions": [{"version": "10.2.2510", "status": "affected", "versionType": "custom", "lessThan": "10.2.2510.5"}, {"version": "10.0.2503", "status": "affected", "versionType": "custom", "lessThan": "10.0.2503.12"}, {"version": "10.1.2507", "status": "affected", "versionType": "custom", "lessThan": "10.1.2507.16"}, {"version": "9.3.2411", "status": "affected", "versionType": "custom", "lessThan": "9.3.2411.124"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint."}], "value": "In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint."}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0302"}], "title": "Remote Command Execution (RCE) through the '/splunkd/__upload/indexing/preview' REST endpoint in Splunk Enterprise", "datePublic": "2026-03-11T00:00:00.000Z", "metrics": [{"cvssV3_1": {"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "baseScore": 8, "baseSeverity": "HIGH"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "description": "The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.", "cweId": "CWE-77"}]}], "source": {"advisory": "SVD-2026-0302"}, "credits": [{"lang": "en", "value": "Danylo Dmytriiev (DDV_UA) <br><br>Gabriel Nitu, Splunk<br><br>James Ervin, Splunk"}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-03-11T16:18:26.857Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T03:55:43.201014Z", "id": "CVE-2026-20163", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:23:31.857Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20163", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T03:55:43.201014Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T13:23:28.580Z"}}], "cna": {"title": "Remote Command Execution (RCE) through the '/splunkd/__upload/indexing/preview' REST endpoint in Splunk Enterprise", "source": {"advisory": "SVD-2026-0302"}, "credits": [{"lang": "en", "value": "Danylo Dmytriiev (DDV_UA) <br><br>Gabriel Nitu, Splunk<br><br>James Ervin, Splunk"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Splunk", "product": "Splunk Enterprise", "versions": [{"status": "affected", "version": "10.0", "lessThan": "10.0.4", "versionType": "custom"}, {"status": "affected", "version": "9.4", "lessThan": "9.4.9", "versionType": "custom"}, {"status": "affected", "version": "9.3", "lessThan": "9.3.10", "versionType": "custom"}]}, {"vendor": "Splunk", "product": "Splunk Cloud Platform", "versions": [{"status": "affected", "version": "10.2.2510", "lessThan": "10.2.2510.5", "versionType": "custom"}, {"status": "affected", "version": "10.0.2503", "lessThan": "10.0.2503.12", "versionType": "custom"}, {"status": "affected", "version": "10.1.2507", "lessThan": "10.1.2507.16", "versionType": "custom"}, {"status": "affected", "version": "9.3.2411", "lessThan": "9.3.2411.124", "versionType": "custom"}]}], "datePublic": "2026-03-11T00:00:00.000Z", "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2026-0302"}], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.", "supportingMedia": [{"type": "text/html", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "cwe", "cweId": "CWE-77", "description": "The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component."}]}], "providerMetadata": {"orgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "shortName": "cisco", "dateUpdated": "2026-03-11T16:18:26.857Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20163", "state": "PUBLISHED", "dateUpdated": "2026-03-12T13:23:31.857Z", "dateReserved": "2025-10-08T11:59:15.389Z", "assignerOrgId": "d1c1063e-7a18-46af-9102-31f8928bc633", "datePublished": "2026-03-11T16:18:26.857Z", "assignerShortName": "cisco"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "BFBDF80A-51CC-470E-977C-96ABBF89162D", "versionEndExcluding": "9.3.10", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "ACAC2D08-9ED6-4E58-A999-0EE2025C69FC", "versionEndExcluding": "9.4.9", "versionStartIncluding": "9.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "matchCriteriaId": "1E7483F3-FE84-42B9-A2E7-6E89B110BA31", "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "5198A912-AABA-40D1-8DE1-958E6584501B", "versionEndExcluding": "9.3.2411.124", "versionStartIncluding": "9.3.2411", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA248FBD-6AFF-492C-93A8-17EAA7C07FC1", "versionEndExcluding": "10.0.2503.12", "versionStartIncluding": "10.0.2503", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "17E11C59-CC22-48AA-A969-717D4D527019", "versionEndExcluding": "10.1.2507.16", "versionStartIncluding": "10.1.2507", "vulnerable": true}, {"criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "matchCriteriaId": "6609708F-A13F-4E4E-9883-C11659BD6C3C", "versionEndExcluding": "10.2.2510.5", "versionStartIncluding": "10.2.2510", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124, a user who holds a role that contains the high-privilege capability `edit_cmd` could execute arbitrary shell commands using the `unarchive_cmd` parameter for the `/splunkd/__upload/indexing/preview` REST endpoint."}, {"lang": "es", "value": "En las versiones de Splunk Enterprise anteriores a 10.2.0, 10.0.4, 9.4.9 y 9.3.10, y las versiones de Splunk Cloud Platform anteriores a 10.2.2510.5, 10.0.2503.12, 10.1.2507.16 y 9.3.2411.124, un usuario que posee un rol que contiene la capacidad de alto privilegio 'edit_cmd' podr\u00eda ejecutar comandos de shell arbitrarios utilizando el par\u00e1metro 'unarchive_cmd' para el endpoint REST /splunkd/__upload/indexing/preview."}], "id": "CVE-2026-20163", "lastModified": "2026-03-24T17:10:58.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "psirt@cisco.com", "type": "Primary"}]}, "published": "2026-03-11T17:16:56.607", "references": [{"source": "psirt@cisco.com", "tags": ["Vendor Advisory"], "url": "https://advisory.splunk.com/advisories/SVD-2026-0302"}], "sourceIdentifier": "psirt@cisco.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "psirt@cisco.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.2.2510,10.2.2510.5)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0.2503,10.0.2503.12)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.1.2507,10.1.2507.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3.2411,9.3.2411.124)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Cloud Platform", "source": "cna", "vendor": "Splunk"}, "product": "splunk_cloud_platform", "vendor": "splunk"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.4)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.4,9.4.9)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.3,9.3.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Splunk Enterprise", "source": "cna", "vendor": "Splunk"}, "product": "splunk_enterprise", "vendor": "splunk"}], "analysis": {"en": {"generated_at": "2026-03-24T18:56:27.073484+00:00", "value": {"mitigation_remediation": ["Upgrade Splunk Enterprise to version 10.2.0 or newer, or to at least 10.0.4, 9.4.9, or 9.3.10, and upgrade Splunk Cloud Platform to at least 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, or 9.3.2411.124.", "Verify that no user or role has the edit_cmd capability; if possible, revoke or reduce this privilege.", "Monitor Splunk logs for attempts to access the /splunkd/__upload/indexing/preview endpoint and for suspicious command execution attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via REST endpoint"}, "threat_synthesis": {"affected_systems": "Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10, and Splunk Cloud Platform releases older than 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124 are affected. Users who can grant themselves or others the edit_cmd capability are at risk.", "description_and_impact": "The vulnerability allows an authenticated user with the edit_cmd capability to execute arbitrary shell commands through the unarchive_cmd parameter of the /splunkd/__upload/indexing/preview REST endpoint. This results in full remote code execution on the Splunk platform, compromising confidentiality, integrity, and availability. The weakness is a command injection flaw, identified as CWE\u201177.", "risk_and_exploitability": "The CVSS score of 8 indicates high severity. EPSS is reported to be below 1%, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Once the edit_cmd privilege is available, the attacker can gain complete system compromise. Prevention hinges on applying the vendor's patch or removing the privileged capability."}}}}, "created": "2026-03-12T09:57:57.258873+00:00", "updated": "2026-03-25T11:50:12.419914+00:00", "vendors": ["splunk", "splunk$PRODUCT$splunk_cloud_platform", "splunk$PRODUCT$splunk_enterprise"]}