A critical remote code execution (RCE) vulnerability, identified as CVE-2026-20251, has been discovered in Splunk Secure Gateway (SSG). This flaw allows low-privileged authenticated users to execute arbitrary code on the Splunk host server without requiring administrative or power-level roles. The vulnerability carries a CVSS score of 8.8, indicating its high severity.
The issue resides in SSG’s alert processing pipeline, which reads attacker-controlled documents from Splunk’s App Key Value Store (KV Store), specifically the mobile_alerts collection. These documents are then passed directly to the jsonpickle.decode() function, a Python deserialization library capable of reconstructing arbitrary Python objects from crafted JSON. Although the function is set with safe=True, this flag only blocks the legacy py/repr evaluation path, leaving critical gadget tags such as py/reduce, py/object, py/type, py/function, and py/module exploitable.
A secondary validator, check_alert_data_valid_json, intended to block dangerous tags, short-circuits on the first recognized key. If the first top-level key is a permitted py/object value starting with spacebridgeapp, the function immediately returns True and does not inspect sibling keys, including any embedded py/reduce gadget. This logic flaw allows attackers to craft a bypass document that exploits this behavior.
To exploit this vulnerability, an attacker with a valid low-privilege Splunk account can write a specially crafted document to the mobile_alerts KV Store collection via the Splunk REST API. When SSG processes an alert fetch request, the alert_request_processor.py reads the document, the validator passes it (tricked by the lure py/object key), and jsonpickle.decode() reconstructs the malicious object, triggering arbitrary operating system command execution.
The bypass document structure exploits this logic flaw:
{
"py/object": "spacebridgeapp.data.alert_data.Alert",
"notification": {
"py/reduce": [
{"py/function": "subprocess.check_output"},
{"py/tuple": [["uname", "-a"]]}
]
}
}
In this structure, the validator approves the document based on the py/object key and never reaches the malicious notification payload.
Security researcher Fady Oueslati of ReactiveZero Security Research published a proof-of-concept (PoC) exploit for this vulnerability on June 26, 2026. The PoC demonstrates two independent conditions: validator bypass (returning True for the crafted document) and py/reduce execution under safe=True. The payload used is deliberately benign (uname -a). Testing was conducted on SSG 3.9.19 running on Splunk Enterprise 10.0.6.
Organizations are strongly advised to upgrade Splunk Secure Gateway to versions 3.9.20, 3.10.6, or 3.8.67, and Splunk Enterprise to 10.0.7, 10.2.4, or 10.4.0 or later. If immediate patching is not feasible, disabling or removing the Splunk Secure Gateway app entirely can serve as a short-term mitigation. However, this action will disable functionalities such as Splunk Mobile, Spacebridge, and Mission Control.
Additionally, security teams should enforce least-privilege roles, restrict KV Store write access to the mobile_alerts collection, and replace jsonpickle.decode() on attacker-reachable code paths with strict schema-validated parsers.
This vulnerability underscores the critical importance of secure coding practices, particularly when handling deserialization processes. Organizations must remain vigilant, regularly update their systems, and apply patches promptly to mitigate such high-severity vulnerabilities.
