What happened
Splunk disclosed CVE-2026-20266 (CVSS 9.1 Critical) on 2026-06-17/18: the btool Configuration Helper in Splunk AI Toolkit constructs OS command strings from dynamic parameters with shell=True semantics, allowing a Splunk admin to execute arbitrary OS commands on the underlying host. A companion vulnerability CVE-2026-20265 (CVSS 4.3) allows low-privilege users to trigger outbound HTTP requests from AI agent interactions via an insecure default domain allowlist, enabling data exfiltration. Both fixed in 5.7.4.
Why it matters
Splunk AI Toolkit integrates LLM-powered features directly into Splunk Enterprise — the platform used for security analytics and ML workloads across thousands of enterprises. An OS command injection in the AI layer grants an attacker who has compromised a Splunk admin account full host OS access, enabling persistence, lateral movement, and exfiltration of all security telemetry processed by Splunk.
Attack vector
An authenticated Splunk admin user sends input to the btool Configuration Helper component, which constructs OS command strings dynamically from user-supplied parameters without disabling shell interpretation. The attacker injects shell metacharacters to execute arbitrary OS commands on the host running Splunk Enterprise.
Affected systems
Splunk AI Toolkit < 5.7.4
Mitigation
Upgrade Splunk AI Toolkit to version 5.7.4 or later. Splunk advisory SVD-2026-0614: https://advisory.splunk.com/advisories/SVD-2026-0614