PatchSiren cyber security CVE debrief

CVE-2026-20251 Splunk CVE debrief

CVE-2026-20251 is a high-severity vulnerability affecting Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway. A low-privileged user without 'admin' or 'power' roles could exploit this vulnerability to achieve Remote Code Execution (RCE). The issue arises from the unsafe deserialization of App Key Value Store (KV Store) data via the 'jsonpickle' Python library.

Vendor: Splunk
Product: Splunk Enterprise
CVSS: HIGH 8.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-10
Advisory published: 2026-06-10
Advisory updated: 2026-06-10

Who should care

Users of Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67 should prioritize patching this vulnerability.

Technical summary

The vulnerability is caused by the unsafe deserialization of App Key Value Store (KV Store) data through the 'jsonpickle' Python library. This allows a low-privileged user to reconstruct arbitrary Python objects from specially crafted JSON without adequate validation, leading to Remote Code Execution (RCE).

Defensive priority

High

Recommended defensive actions

Apply patches for Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway to the latest versions.
Restrict access to sensitive components and ensure users have the least privilege necessary.
Monitor for suspicious activity and implement additional security measures to detect potential exploitation attempts.

Evidence notes

The CVE-2026-20251 vulnerability has a CVSS score of 8.8 and is classified as HIGH severity. It was published on 2026-06-10T18:16:40.477Z and modified on 2026-06-10T18:36:19.463Z.

Official resources

CVE-2026-20251 was published on 2026-06-10T18:16:40.477Z and modified on 2026-06-10T18:36:19.463Z.