CVE 8.8 HIGH

Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway_CVE-2026-20251

June 10, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the ‘jsonpickle’ Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.

AI Analysis

Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway

Basic Information

ID CVE-2026-20251

Source cisco

Published Jun 10, 2026 at 17:16

Modified Jun 10, 2026 at 18:26

Affected Product

Vendor Splunk

Product Splunk Enterprise, Splunk Cloud Platform, Splunk Secure Gateway

Version 10.2.4, 10.0.7, 9.4.12, 9.3.13, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, 9.3.2411.132, 3.10.6, 3.9.20, 3.8.67

Affected Versions Splunk Splunk Enterprise 10.2
Splunk Splunk Enterprise 10.0
Splunk Splunk Enterprise 9.4
Splunk Splunk Enterprise 9.3
Splunk Splunk Cloud Platform 10.3.2512
Splunk Splunk Cloud Platform 10.2.2510
Splunk Splunk Cloud Platform 10.1.2507
Splunk Splunk Cloud Platform 9.3.2411
Splunk Splunk Secure Gateway 3.10
Splunk Splunk Secure Gateway 3.9
Splunk Splunk Secure Gateway 3.8

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Splunk

Product Splunk Enterprise, Splunk Cloud Platform, Splunk Secure Gateway

Version 10.2.4, 10.0.7, 9.4.12, 9.3.13, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, 9.3.2411.132, 3.10.6, 3.9.20, 3.8.67

References

advisory.splunk.com /advisories/SVD-2026-0601

{
    "lastseen": "",
    "description": "In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could perform a Remote Code Execution (RCE) through the Splunk Secure Gateway app.<br><br>The Remote Code Execution is possible because of unsafe deserialization of App Key Value Store (KV Store) data through the \u2018jsonpickle\u2019 Python library, which reconstructs arbitrary Python objects from specially crafted JavaScript Object Notation (JSON) without adequate validation.",
    "published": "2026-06-10T17:16:00.352Z",
    "modified": "2026-06-10T18:26:16.204Z",
    "type": "cve",
    "title": "Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway",
    "source": "cisco",
    "references": "https://advisory.splunk.com/advisories/SVD-2026-0601",
    "id": "CVE-2026-20251",
    "bulletinFamily": "",
    "cwe": null,
    "cvelist": null,
    "sourceData": "Splunk Splunk Enterprise 10.2\nSplunk Splunk Enterprise 10.0\nSplunk Splunk Enterprise 9.4\nSplunk Splunk Enterprise 9.3\nSplunk Splunk Cloud Platform 10.3.2512\nSplunk Splunk Cloud Platform 10.2.2510\nSplunk Splunk Cloud Platform 10.1.2507\nSplunk Splunk Cloud Platform 9.3.2411\nSplunk Splunk Secure Gateway 3.10\nSplunk Splunk Secure Gateway 3.9\nSplunk Splunk Secure Gateway 3.8",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Splunk Enterprise, Splunk Cloud Platform, Splunk Secure Gateway",
    "version": "10.2.4, 10.0.7, 9.4.12, 9.3.13, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, 9.3.2411.132, 3.10.6, 3.9.20, 3.8.67",
    "vendor": "Splunk",
    "ai_description": "Remote Code Execution through Deserialization of Untrusted Data in Splunk Secure Gateway",
    "ai_severity": "High",
    "ai_vendor": "Splunk",
    "ai_product": "Splunk Enterprise, Splunk Cloud Platform, Splunk Secure Gateway",
    "ai_version": "10.2.4, 10.0.7, 9.4.12, 9.3.13, 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, 9.3.2411.132, 3.10.6, 3.9.20, 3.8.67",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply