Known Exploited Vulnerability
9.8
CRITICAL CVSS 3.1
CVE-2026-20253
Splunk Enterprise Missing Authentication for Critical Function Vulnerability - [Actively Exploited]
Description

In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

INFO

Published Date :

June 10, 2026, 6:16 p.m.

Last Modified :

June 16, 2026, 3:16 p.m.

Remotely Exploit :

No
CISA Notification
CISA KEV (Known Exploited Vulnerabilities)

For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.

Description :

Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.

Required Action :

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Known Ransomware Campaign Use:

Unknown

Notes :

https://advisory.splunk.com/advisories/SVD-2026-0603 ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-20253

Affected Products

The following products are affected by CVE-2026-20253 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Splunk splunk
2 Splunk splunk_cloud_platform
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL d1c1063e-7a18-46af-9102-31f8928bc633
CVSS 3.1 CRITICAL [email protected]
Solution
Update Splunk to a patched version to address arbitrary file creation vulnerability.
  • Update Splunk Enterprise to version 10.2.4 or later.
  • Update Splunk Enterprise to version 10.0.7 or later.
  • Update Splunk Cloud Platform to version 10.4.2604.3 or later.
  • Update Splunk Cloud Platform to version 10.2.2510.14 or later.
Public PoC/Exploit Available at Github

CVE-2026-20253 has a 10 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-20253.

URL Resource
https://advisory.splunk.com/advisories/SVD-2026-0603 Vendor Advisory
https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-20253 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

POC for CVE-2026-20253

proof-of-concept pssec cve-2026-20253 splunk

Dockerfile

Updated: 2 days, 11 hours ago
0 stars 0 fork 0 watcher
Born at : June 29, 2026, 7:53 a.m. This repo has been linked 1 different CVEs too.

KQL detection rules for Microsoft Sentinel and Defender XDR covering the bikini/exploitarium anonymous disclosure — a personal research archive of 15 distinct vulnerability targets across 109 tracked files, released without vendor notification on June 23, 2026.

kql threat-detection threat-hunting threat-intelligence

Updated: 1 day, 10 hours ago
27 stars 25 fork 25 watcher
Born at : June 28, 2026, 9:36 p.m. This repo has been linked 4 different CVEs too.

Python CLI tool to check CVE details + nuclei template coverage. Security research writeups in /research.

Python

Updated: 1 day, 16 hours ago
0 stars 0 fork 0 watcher
Born at : June 28, 2026, 1:27 p.m. This repo has been linked 14 different CVEs too.

CVE-2026-20251 — Splunk Secure Gateway jsonpickle deserialization RCE (CVSS 8.8) | ReactiveZero Security Research

Python

Updated: 5 days, 4 hours ago
1 stars 0 fork 0 watcher
Born at : June 26, 2026, 9:12 p.m. This repo has been linked 2 different CVEs too.

None

Python

Updated: 5 days, 7 hours ago
0 stars 0 fork 0 watcher
Born at : June 26, 2026, 6:13 p.m. This repo has been linked 1 different CVEs too.

CVE-2026-20253 - Splunk Enterprise

Python

Updated: 2 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : June 14, 2026, 4:18 a.m. This repo has been linked 1 different CVEs too.

CVE-2026-20253

Python

Updated: 2 weeks, 3 days ago
1 stars 0 fork 0 watcher
Born at : June 13, 2026, 6:09 p.m. This repo has been linked 1 different CVEs too.

None

Python

Updated: 2 weeks, 3 days ago
6 stars 1 fork 1 watcher
Born at : June 12, 2026, 10:04 a.m. This repo has been linked 1 different CVEs too.

Real-world security incident analysis through a risk and compliance lens

Updated: 2 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : June 3, 2026, 12:54 p.m. This repo has been linked 2 different CVEs too.

一个 CVE 漏洞预警知识库,无 exp/poc,部分包含修复方案。A knowledge base of CVE security vulnerability, no PoCs/exploits.

Updated: 1 week ago
172 stars 24 fork 24 watcher
Born at : Jan. 5, 2023, 2:19 a.m. This repo has been linked 258 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-20253 vulnerability anywhere in the article.

  • security.nl
Splunk waarschuwt voor actief misbruik van kritiek lek in Splunk Enterprise

Softwarebedrijf Splunk waarschuwt voor actief misbruik van een kritieke kwetsbaarheid in Splunk Enterprise waardoor een ongeauthenticeerde aanvaller code op het platform kan uitvoeren. Splunk kwam op ... Read more

Published Date: Jun 19, 2026 (1 week, 5 days ago)
  • The Cyber Express
Critical SearchLeak Flaw in Microsoft 365 Copilot Exposed Sensitive Enterprise Data

A newly disclosed SearchLeak vulnerability in Microsoft 365 Copilot Enterprise exposed a critical pathway for attackers to steal sensitive organizational data through a specially crafted URL. The flaw ... Read more

Published Date: Jun 16, 2026 (2 weeks, 1 day ago)
  • TheCyberThrone
CISA adds Cisco SD-WAN and LiteSpeed cPanel  to KEV

June 16, 2026CVE-2026-20262 | Cisco Catalyst SD-WAN Manager — Path TraversalCVE-2026-20262 is a directory or path traversal vulnerability in Cisco Catalyst SD-WAN Manager. This class of flaw allows at ... Read more

Published Date: Jun 16, 2026 (2 weeks, 2 days ago)
  • The Cyber Express
Splunk Urges Immediate Patching of Critical Flaw Enabling Arbitrary File Operations

A newly disclosed security vulnerability in Splunk Enterprise has prompted urgent patching efforts after researchers revealed that the flaw could allow unauthenticated attackers to perform arbitrary f ... Read more

Published Date: Jun 15, 2026 (2 weeks, 2 days ago)
  • TheCyberThrone
CVE-2026-20253 — Splunk Enterprise Unauthenticated RCE

Severity: CriticalCVSS v3.1 Score: 9.8CWE: CWE-306 — Missing Authentication for Critical FunctionVendor Advisory: SVD-2026-0603What Is VulnerableCVE-2026-20253 affects Splunk Enterprise versions below ... Read more

Published Date: Jun 14, 2026 (2 weeks, 3 days ago)
  • The Hacker News
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vul ... Read more

Published Date: Jun 13, 2026 (2 weeks, 4 days ago)

The following table lists the changes that have been made to the CVE-2026-20253 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0

    Jun. 16, 2026

    Action Type Old Value New Value
    Added Reference https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/
  • CVE Modified by [email protected]

    Jun. 15, 2026

    Action Type Old Value New Value
    Changed Description In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
  • CVE Modified by [email protected]

    Jun. 15, 2026

    Action Type Old Value New Value
    Changed Description In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
  • Initial Analysis by [email protected]

    Jun. 15, 2026

    Action Type Old Value New Value
    Added CPE Configuration OR *cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* versions from (including) 10.0.0 up to (excluding) 10.0.7 *cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* versions from (including) 10.2.0 up to (excluding) 10.2.4
    Added Reference Type Cisco Systems, Inc.: https://advisory.splunk.com/advisories/SVD-2026-0603 Types: Vendor Advisory
  • New CVE Received by [email protected]

    Jun. 10, 2026

    Action Type Old Value New Value
    Added Description In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-306
    Added Reference https://advisory.splunk.com/advisories/SVD-2026-0603
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.