A recent public disclosure highlights a significant security flaw, identified as CVE-2026-20251, in Splunk Secure Gateway (SSG). This vulnerability, which has been rated with a CVSS score of 8.8, poses a high-severity risk, allowing attackers to execute code on a Splunk server without high-level access.
Understanding the Vulnerability
The vulnerability is found in the alert processing pipeline of Splunk Secure Gateway. It involves the App Key Value Store (KV Store), notably the mobile_alerts collection, which inadvertently processes attacker-controlled documents. The flaw arises when these documents are processed by jsonpickle.decode(), a Python library designed to deserialize JSON.
Despite using the safe=True parameter, which is meant to block certain evaluations, critical tags such as py/reduce and py/object remain vulnerable. This oversight allows attackers to exploit these tags and execute arbitrary commands.
Exploiting the Flaw
To exploit this vulnerability, a low-privileged Splunk account is sufficient. Attackers can insert a malicious document into the mobile_alerts collection through the Splunk REST API. Upon request processing, the crafted document bypasses the check_alert_data_valid_json validator due to its structure, specifically a py/object key.
When the document is processed, jsonpickle.decode() reconstructs the malicious object, leading to the execution of arbitrary commands on the operating system. This method of exploitation effectively bypasses security checks, highlighting a major security concern.
Mitigation and Recommendations
Researcher Fady Oueslati of ReactiveZero Security Research released a proof-of-concept (PoC) for this vulnerability on June 26, 2026. This PoC, identified as 2026FO-SPLUNK-20251, demonstrates how the validator can be bypassed and commands executed even with safe=True enabled.
Organizations using Splunk Secure Gateway should upgrade to versions 3.9.20, 3.10.6, or 3.8.67. Additionally, Splunk Enterprise should be updated to versions 10.0.7 or higher. If immediate patching is not possible, disabling or removing the Splunk Secure Gateway app is advised as a temporary solution, though it will impact certain functionalities.
To further mitigate risk, security teams should enforce least-privilege principles, restrict write access to the mobile_alerts collection, and replace jsonpickle.decode() with more secure parsing methods.
In response to this vulnerability, integrating comprehensive threat detection tools into your security operations center (SOC) can enhance your organization’s security posture and ensure rapid response to potential threats.
