Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: splunk (2 articles)Clear

Splunk Enterprise flaw now exploited, added to CISA must-patch list

A critical Splunk Enterprise flaw disclosed earlier this month is now being exploited in the wild, and CISA has added it to its known-exploited list with a June 21 federal patch deadline. The bug (CVE-2026-20253, rated 9.8) is a missing-authentication issue in a PostgreSQL sidecar service: an unauthenticated, network-reachable attacker can create or truncate arbitrary files on the Splunk host, which can cascade into log corruption, broken monitoring, and remote code execution. Both Splunk and Resecurity have confirmed active exploitation, and a public proof-of-concept and Nuclei template exist. Because Splunk underpins many SOC and SIEM operations, a compromise can blind defenders.

Check
Identify Splunk Enterprise instances on 10.2 before 10.2.4 or 10 before 10.0.7, check whether the PostgreSQL sidecar endpoint is network-reachable, and review logs for path-traversal and unexpected PostgreSQL connections.
Affected
Splunk Enterprise 10.2 versions before 10.2.4 and 10 versions before 10.0.7 (CVE-2026-20253); instances whose PostgreSQL sidecar endpoint is reachable from untrusted networks are at highest risk.
Fix
Patch to Splunk Enterprise 10.2.4 or 10.0.7 immediately, or disable the PostgreSQL sidecar service as a temporary mitigation. Then run forensic triage for file tampering before assuming systems are clean.

Critical Splunk Enterprise flaw allows unauthenticated remote code execution

Splunk has patched a critical flaw in Splunk Enterprise that lets an unauthenticated attacker run code on the server, a serious risk given Splunk often sits at the heart of a company's security monitoring. The bug (CVE-2026-20253, rated 9.8) is in the PostgreSQL sidecar service added in Splunk 10, whose internal API has no authentication yet is reachable through the main web app's proxy. An attacker can write or overwrite files on the host and chain that into remote code execution. The sidecar is off by default on on-premises Windows but enabled out of the box on Splunk Enterprise running in AWS. Splunk Cloud is not affected.

Check
Check Splunk Enterprise versions and whether the PostgreSQL sidecar service is enabled, especially on AWS-hosted instances, and use watchTowr's detection tool to test for unauthenticated access to the API.
Affected
Splunk Enterprise 10 and later below versions 10.2.4 and 10.0.7 with the PostgreSQL sidecar service active (CVE-2026-20253); AWS-hosted instances are exposed by default. Splunk Cloud is unaffected.
Fix
Upgrade Splunk Enterprise to 10.2.4 or 10.0.7 or later immediately. Until patched, restrict network access to the web interface and sidecar endpoints, and disable the sidecar service if unused.