Public PoC Released for Deserialization RCE Vulnerability in Splunk Secure Gateway

HomeCyber Security News Public PoC Released for Deserialization RCE Vulnerability in Splunk Secure Gateway By Abinaya June 29, 2026 A public proof-of-concept (PoC) exploit has been released for CVE-2026-20251, a high-severity remote code execution (RCE) vulnerability affecting Splunk Secure Gateway (SSG). The flaw, carrying a CVSS score of 8.8, allows a low-privileged authenticated attacker to execute arbitrary code on the Splunk host server without requiring admin or power-level roles. CVE-2026-20251 resides in Splunk Secure Gateway’s alert processing pipeline. The component reads attacker-controlled documents from Splunk’s App Key Value Store (KV Store), specifically the mobile_alerts collection. Passes them directly to jsonpickle.decode(), a Python deserialization library capable of reconstructing arbitrary Python objects from crafted JSON. Although the call sets safe=True, this flag only blocks the legacy py/repr evaluation path. Critical gadget tags including py/reduce, py/object, py/type, py/function, and py/module remain fully exploitable. Splunk Secure Gateway Deserialization RCE Vulnerability A secondary validator (check_alert_data_valid_json), intended to block dangerous tags, short-circuits on the first recognized key. If the first top-level key is a permitted py/object value starting with spacebridgeapp, the function immediately returns True and never inspects sibling keys, including any embedded py/reduce gadget. The exploit requires only a valid low-privilege Splunk account. The attacker writes a specially crafted bypass document to the mobile_alerts KV Store collection via the Splunk REST API. When SSG processes an alert fetch request, alerts_request_processor.py reads the document, the validator passes it (tricked by the lure py/object key), and jsonpickle is used.decode() reconstructs the malicious object, triggering arbitrary OS command execution. The bypass document structure exploits this logic flaw: { "py/object": "spacebridgeapp.data.alert_data.Alert", "notification": { "py/reduce": [ {"py/function": "subprocess.check_output"}, {"py/tuple": [["uname", "-a"]]} ] } } The validator approves the document on the py/object key and never reaches the malicious notification payload. Researcher Fady Oueslati of ReactiveZero Security Research published the PoC (poc_cve_2026_20251.py) on June 26, 2026, under reference 2026FO-SPLUNK-20251. The PoC demonstrates two independent conditions: validator bypass (returning True for the crafted document) and py/reduce execution under safe=True. The payload used is deliberately benign (uname -a). Testing was conducted on SSG 3.9.19 running on Splunk Enterprise 10.0.6. Organizations should immediately upgrade Splunk Secure Gateway to versions 3.9.20, 3.10.6, or 3.8.67, and Splunk Enterprise to 10.0.7, 10.2.4, or 10.4.0+. If patching is not immediately possible, disable or remove the Splunk Secure Gateway app entirely as a short-term mitigation. However, this disables Splunk Mobile, Spacebridge, and Mission Control functionality. Security teams should also enforce least-privilege roles, restrict KV Store write access to the mobile_alerts collection, and replace jsonpickle.decode() on attacker-reachable code paths with strict schema-validated parsers.  Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Russia-Linked Turla Uses Compromised Infrastructure to Deploy STOCKSTAY in Ukraine Operations Malicious Chrome Extension Uses Native Messaging Host to Execute PowerShell Commands White House Orders Federal Agencies to Migrate Systems to Post-Quantum Cryptography PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability Malicious GST Debit Note Attachment Deploys Remcos RAT Through Multi-Stage Loader Latest News Cyber Security News Critical Dell Wyse Vulnerabilities Enable Remote Code Execution Attacks Cyber Security News Microsoft 365 Apps RCE Vulnerability Exploited Using a Malicious Excel File Cyber Security News Critical Gemini CLI Vulnerability Lets Attackers Execute Arbitrary Code Cyber Security News Russia-Linked Turla Uses Compromised Infrastructure to Deploy STOCKSTAY in Ukraine Operations Cyber Security News ClawHub Skills Expose AI Agents to Remote Control Backdoors and Data Theft Attacks