A public proof-of-concept (PoC) exploit has been released for CVE-2026-20251, a high-severity remote code execution (RCE) vulnerability affecting Splunk Secure Gateway (SSG).
The flaw, carrying a CVSS score of 8.8, allows a low-privileged authenticated attacker to execute arbitrary code on the Splunk host server without requiring admin or power-level roles.
CVE-2026-20251 resides in Splunk Secure Gateway’s alert processing pipeline. The component reads attacker-controlled documents from Splunk’s App Key Value Store (KV Store), specifically the mobile_alerts collection.
Passes them directly to jsonpickle.decode(), a Python deserialization library capable of reconstructing arbitrary Python objects from crafted JSON.
Although the call sets safe=True, this flag only blocks the legacy py/repr evaluation path. Critical gadget tags including py/reduce, py/object, py/type, py/function, and py/module remain fully exploitable.
Splunk Secure Gateway Deserialization RCE Vulnerability
A secondary validator (check_alert_data_valid_json), intended to block dangerous tags, short-circuits on the first recognized key.
If the first top-level key is a permitted py/object value starting with spacebridgeapp, the function immediately returns True and never inspects sibling keys, including any embedded py/reduce gadget.
The exploit requires only a valid low-privilege Splunk account. The attacker writes a specially crafted bypass document to the mobile_alerts KV Store collection via the Splunk REST API.
When SSG processes an alert fetch request, alerts_request_processor.py reads the document, the validator passes it (tricked by the lure py/object key), and jsonpickle is used.decode() reconstructs the malicious object, triggering arbitrary OS command execution.
The bypass document structure exploits this logic flaw:
{
"py/object": "spacebridgeapp.data.alert_data.Alert",
"notification": {
"py/reduce": [
{"py/function": "subprocess.check_output"},
{"py/tuple": [["uname", "-a"]]}
]
}
}The validator approves the document on the py/object key and never reaches the malicious notification payload.
Researcher Fady Oueslati of ReactiveZero Security Research published the PoC (poc_cve_2026_20251.py) on June 26, 2026, under reference 2026FO-SPLUNK-20251.
The PoC demonstrates two independent conditions: validator bypass (returning True for the crafted document) and py/reduce execution under safe=True.
The payload used is deliberately benign (uname -a). Testing was conducted on SSG 3.9.19 running on Splunk Enterprise 10.0.6.
Organizations should immediately upgrade Splunk Secure Gateway to versions 3.9.20, 3.10.6, or 3.8.67, and Splunk Enterprise to 10.0.7, 10.2.4, or 10.4.0+.
If patching is not immediately possible, disable or remove the Splunk Secure Gateway app entirely as a short-term mitigation. However, this disables Splunk Mobile, Spacebridge, and Mission Control functionality.
Security teams should also enforce least-privilege roles, restrict KV Store write access to the mobile_alerts collection, and replace jsonpickle.decode() on attacker-reachable code paths with strict schema-validated parsers.
