Public PoC Released for Splunk Secure Gateway RCE Vulnerability

A public proof-of-concept has been released for CVE-2026-20251, a high-severity remote code execution vulnerability affecting Splunk Secure Gateway and related Splunk deployments. The flaw can let a low-privileged authenticated user run code through unsafe deserialization.

Splunk disclosed the issue on June 10, 2026, in SVD-2026-0601. The company assigned the vulnerability a CVSS 3.1 score of 8.8, with low attack complexity and no user interaction required after authentication.

The NVD entry for CVE-2026-20251 confirms that a low-privileged user without the admin or power Splunk roles could perform remote code execution through the Splunk Secure Gateway app.

What CVE-2026-20251 affects

The vulnerable path involves Splunk Secure Gateway processing data from Splunk’s App Key Value Store, also known as KV Store. The risky behavior comes from unsafe deserialization through the jsonpickle Python library.

According to Splunk, jsonpickle can reconstruct Python objects from specially crafted JSON when the input lacks adequate validation. That creates a dangerous condition when attacker-controlled data reaches a deserialization path.

The vulnerability affects several Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway versions. Splunk Cloud Platform customers are being patched by Splunk, while self-managed administrators must apply the relevant updates.

Affected and fixed versions

Product	Affected versions	Fixed version
Splunk Enterprise 10.2	10.2.0 to 10.2.3	10.2.4 or later
Splunk Enterprise 10.0	10.0.0 to 10.0.6	10.0.7 or later
Splunk Enterprise 9.4	9.4.0 to 9.4.11	9.4.12 or later
Splunk Enterprise 9.3	9.3.0 to 9.3.12	9.3.13 or later
Splunk Secure Gateway 3.10	Below 3.10.6	3.10.6 or later
Splunk Secure Gateway 3.9	Below 3.9.20	3.9.20 or later
Splunk Secure Gateway 3.8	Below 3.8.67	3.8.67 or later

The NVD record also lists affected Splunk Cloud Platform builds below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132.

Splunk Enterprise 10.4 is not affected by this specific Splunk Secure Gateway component issue, according to the vendor’s product status table.

Administrators should still review their full June 2026 Splunk patch exposure because the same advisory batch included other vulnerabilities affecting Splunk Enterprise and related components.

PoC release raises patch urgency

The public proof-of-concept was published by ReactiveZero Security Research under reference 2026FO-SPLUNK-20251. The ReactiveZero PoC repository describes the issue as a jsonpickle deserialization RCE in Splunk Secure Gateway.

The PoC reportedly demonstrates two conditions: a validation bypass and execution through a jsonpickle deserialization path. The published material says the test used a benign command to prove the code path, rather than a weaponized exploit against a third-party system.

A separate ReactiveZero technical write-up says the flaw can be triggered when a low-privileged attacker stores crafted data in the mobile_alerts KV Store collection and Splunk Secure Gateway later processes it.

How the vulnerability works

The core issue sits in the way Splunk Secure Gateway handles stored alert data. Data placed in KV Store can reach a deserialization function that reconstructs Python objects from JSON.

The research says a validation routine can approve a document too early after seeing an allowed top-level object marker. Because of that short-circuit behavior, deeper dangerous fields may not receive full inspection before jsonpickle processes the data.

The ReactiveZero repository says the outcome can be code execution as the Splunk service account. That makes the bug more serious than a normal application-layer flaw because Splunk often runs inside sensitive monitoring environments.

Why Splunk servers are high-value targets

Splunk deployments often sit close to logs, alerts, authentication records, cloud telemetry, and security operations workflows. A successful RCE on a Splunk host can give attackers access to valuable operational and security data.

Even though CVE-2026-20251 requires authentication, the required access level is low. That means a compromised basic account, an exposed test user, or weak internal access controls can increase the risk.

Security teams should treat the public PoC as a reason to accelerate remediation. Once working exploit logic becomes public, attackers often adapt it for scanning, internal movement, or targeted attacks against slow-to-patch environments.

Recommended fixes and mitigations

The primary fix is to upgrade to a patched Splunk Enterprise or Splunk Secure Gateway version. Splunk Cloud customers should confirm their tenant status through normal Splunk support channels if they need assurance about patch timing.

If immediate patching is not possible, Splunk’s advisory recommends turning off or removing the Splunk Secure Gateway app. This mitigation can reduce exposure, but it also affects features that depend on the app.

Splunk notes that Splunk Mobile, Spacebridge, and Mission Control rely on Splunk Secure Gateway functionality. Administrators should weigh the service impact before disabling the app in production.

Security teams should check access and logs

Organizations should review which users can write to relevant KV Store collections and confirm that low-privileged roles do not have unnecessary access. Collection-level access controls matter because the exploit path depends on stored data reaching the vulnerable processor.

• Upgrade Splunk Enterprise and Splunk Secure Gateway to fixed versions.
• Disable or remove Splunk Secure Gateway if the app is not required and patching must wait.
• Review role permissions and KV Store write access.
• Check for unusual requests involving Splunk Secure Gateway alert processing.
• Monitor for unexpected child processes from the Splunk service account.
• Investigate suspicious REST API activity from low-privileged accounts.

The ReactiveZero analysis also recommends avoiding arbitrary object reconstruction from externally influenced stored data and replacing unsafe deserialization with strict schema-validated parsing.

What administrators should do now

Splunk administrators should first identify every Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway deployment in scope. They should then compare installed versions against the fixed versions and prioritize internet-exposed or broadly accessible instances.

Teams should also check whether Splunk Secure Gateway is actually needed. If the organization does not use Splunk Mobile, Spacebridge, or Mission Control, disabling the app may provide a temporary risk reduction until maintenance windows allow full patching.

The most important step is fast remediation. CVE-2026-20251 combines low-privilege access, unsafe deserialization, and public PoC availability, which makes delayed patching risky for environments where Splunk has access to sensitive operational or security data.

FAQ