Splunk Secure Gateway RCE Exposes Low-Privilege Path to Host Command Execution

Splunk Secure Gateway RCE Exposes Low-Privilege Path to Host Command Execution

CVE-2026-20251 affects Splunk Secure Gateway and lets an authenticated low-privileged user execute arbitrary OS commands on the underlying host. The flaw sits in Splunk Secure Gateway alert processing, where KV Store data from the mobile_alerts collection can bypass validation and reach jsonpickle deserialization. Fixed versions include 3.8.67, 3.9.20, 3.10.6, and patched Splunk Enterprise branches.

Operationally, this turns routine app-level access into code execution as the Splunk service account, without admin privileges. The issue also highlights a recurring failure pattern: unsafe deserialization combined with validators that stop at the first trusted key instead of fully traversing nested data.

️ Open sources - closed narratives

@sitreports

Source: Telegram "sitreports"