Patch Splunk RCE Alert
A social post warned of a remote‑code‑execution vulnerability in Splunk tracked as CVE‑2026‑20163 and urged urgent patching to versions 10.2.0 and above. (x.com) The advisory appeared alongside other Splunk ecosystem chatter over the last 48 hours, signaling administrators should verify their Splunk build and update if necessary. (x.com)
A newly disclosed Splunk flaw can let a privileged user run shell commands on the server, and fixes start at Splunk Enterprise 10.2.0. (advisory.splunk.com) Splunk published advisory SVD-2026-0302 on March 11, 2026 for CVE-2026-20163 and rated it 8.0 on the Common Vulnerability Scoring System version 3.1, which is classified as High. The bug sits in the `/splunkd/__upload/indexing/preview` REST endpoint and uses the `unarchive_cmd` parameter. (advisory.splunk.com) The vulnerable builds are Splunk Enterprise versions below 10.2.0, 10.0.4, 9.4.9, and 9.3.10. Splunk Cloud Platform is affected below 10.2.2510.5, 10.0.2503.12, 10.1.2507.16, and 9.3.2411.124. (nvd.nist.gov) Remote code execution means software accepts input that ends up being treated like a system command, the same way a search box would become a keyboard for the server. In this case, Splunk said a user with a role containing the `edit_cmd` capability could execute arbitrary shell commands. (advisory.splunk.com) That requirement makes this an authenticated and privileged attack, not an unauthenticated internet-wide takeover. Splunk’s published vector lists network access, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. (advisory.splunk.com; nvd.nist.gov) The version guidance in some social posts is incomplete. Splunk’s own advisory lists four fixed Enterprise branches and four fixed Cloud branches, so administrators on 10.0.x, 9.4.x, or 9.3.x do not need to jump straight to 10.2.0 if they can apply the supported patch in their branch. (advisory.splunk.com) The disclosure also landed in a busy month for Splunk security updates. On April 15, 2026, Splunk published SVD-2026-0403 for CVE-2026-20204, another high-severity issue that could allow remote code execution through temporary-file handling in versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11. (advisory.splunk.com) The National Vulnerability Database entry for CVE-2026-20163 matches Splunk’s product and version list, which gives defenders a second source for asset checks and ticketing. As of the current entry, the database describes the flaw but does not add a different vendor workaround beyond upgrading. (nvd.nist.gov) For administrators, the immediate check is simple: confirm the exact Splunk Enterprise or Splunk Cloud build, review whether any custom roles include `edit_cmd`, and move to a patched release in the supported branch. Splunk’s advisory page is the source record for the fixed versions and publication date. (advisory.splunk.com)
