CVE-2026-20253
Splunk Enterprise Missing Authentication for Critical Function Vulnerability - [Actively Exploited]
Description
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
INFO
Published Date :
June 10, 2026, 6:16 p.m.
Last Modified :
June 16, 2026, 3:16 p.m.
Remotely Exploit :
No
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Unknown
https://advisory.splunk.com/advisories/SVD-2026-0603 ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-20253
Affected Products
The following products are affected by CVE-2026-20253
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | d1c1063e-7a18-46af-9102-31f8928bc633 | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update Splunk Enterprise to version 10.2.4 or later.
- Update Splunk Enterprise to version 10.0.7 or later.
- Update Splunk Cloud Platform to version 10.4.2604.3 or later.
- Update Splunk Cloud Platform to version 10.2.2510.14 or later.
Public PoC/Exploit Available at Github
CVE-2026-20253 has a 10 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-20253.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-20253 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-20253
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
POC for CVE-2026-20253
proof-of-concept pssec cve-2026-20253 splunk
Dockerfile
KQL detection rules for Microsoft Sentinel and Defender XDR covering the bikini/exploitarium anonymous disclosure — a personal research archive of 15 distinct vulnerability targets across 109 tracked files, released without vendor notification on June 23, 2026.
kql threat-detection threat-hunting threat-intelligence
Python CLI tool to check CVE details + nuclei template coverage. Security research writeups in /research.
Python
CVE-2026-20251 — Splunk Secure Gateway jsonpickle deserialization RCE (CVSS 8.8) | ReactiveZero Security Research
Python
None
Python
CVE-2026-20253 - Splunk Enterprise
Python
CVE-2026-20253
Python
None
Python
Real-world security incident analysis through a risk and compliance lens
一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-20253 vulnerability anywhere in the article.
-
security.nl
Splunk waarschuwt voor actief misbruik van kritiek lek in Splunk Enterprise
Softwarebedrijf Splunk waarschuwt voor actief misbruik van een kritieke kwetsbaarheid in Splunk Enterprise waardoor een ongeauthenticeerde aanvaller code op het platform kan uitvoeren. Splunk kwam op ... Read more
-
The Cyber Express
Critical SearchLeak Flaw in Microsoft 365 Copilot Exposed Sensitive Enterprise Data
A newly disclosed SearchLeak vulnerability in Microsoft 365 Copilot Enterprise exposed a critical pathway for attackers to steal sensitive organizational data through a specially crafted URL. The flaw ... Read more
-
TheCyberThrone
CISA adds Cisco SD-WAN and LiteSpeed cPanel to KEV
June 16, 2026CVE-2026-20262 | Cisco Catalyst SD-WAN Manager — Path TraversalCVE-2026-20262 is a directory or path traversal vulnerability in Cisco Catalyst SD-WAN Manager. This class of flaw allows at ... Read more
-
The Cyber Express
Splunk Urges Immediate Patching of Critical Flaw Enabling Arbitrary File Operations
A newly disclosed security vulnerability in Splunk Enterprise has prompted urgent patching efforts after researchers revealed that the flaw could allow unauthenticated attackers to perform arbitrary f ... Read more
-
TheCyberThrone
CVE-2026-20253 — Splunk Enterprise Unauthenticated RCE
Severity: CriticalCVSS v3.1 Score: 9.8CWE: CWE-306 — Missing Authentication for Critical FunctionVendor Advisory: SVD-2026-0603What Is VulnerableCVE-2026-20253 affects Splunk Enterprise versions below ... Read more
-
The Hacker News
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vul ... Read more
The following table lists the changes that have been made to the
CVE-2026-20253 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 16, 2026
Action Type Old Value New Value Added Reference https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/ -
CVE Modified by [email protected]
Jun. 15, 2026
Action Type Old Value New Value Changed Description In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service. -
CVE Modified by [email protected]
Jun. 15, 2026
Action Type Old Value New Value Changed Description In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. -
Initial Analysis by [email protected]
Jun. 15, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* versions from (including) 10.0.0 up to (excluding) 10.0.7 *cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* versions from (including) 10.2.0 up to (excluding) 10.2.4 Added Reference Type Cisco Systems, Inc.: https://advisory.splunk.com/advisories/SVD-2026-0603 Types: Vendor Advisory -
New CVE Received by [email protected]
Jun. 10, 2026
Action Type Old Value New Value Added Description In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-306 Added Reference https://advisory.splunk.com/advisories/SVD-2026-0603