Unauthenticated RCE in Splunk Enterprise under active attack (CVE-2026-20253)

CISA has added CVE-2026-20253, a critical, remotely exploitable vulnerability in Splunk Enterprise, to its Known Exploited Vulnerabilities catalog, and ordered US federal civilian agencies to apply mitigations by June 21, 2026.

In-the-wild exploitation has also been confirmed by the vendor and Resecurity, who said that its potential for full system compromise should push organizations to prioritize patching and review systems for indicators of compromise such as:

• Requests containing path traversal sequences (../)
• PostgreSQL connection parameters such as hostaddr=, dbname=, port=, or passfile=
• Unexpected execution of pg_dump or pg_restore
• Creation of database dump files in unusual filesystem locations
• Outbound connections from Splunk services to unknown PostgreSQL servers.

The vulnerability and its exploitation potential

Splunk Enterprise collects logs and data from across an organization’s IT systems and indexes them so they can be searched quickly using its own query language (SPL). It’s used for dashboards, alerts, and investigating issues, and essentially serves as the core platform for general IT monitoring and security (SIEM) use cases.

“In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint,” Splunk explained in the security advisory for CVE-2026-20253, published on June 10, 2026.

The PostgreSQL sidecar service is responsible for database backup and recovery operations, and the vulnerability is caused by the PostgreSQL sidecar service endpoint having no authentication controls and thus allowing attackers who can reach the service to invoke file operations without having valid credentials.

CVE-2026-20253 can be used by attackers to execute arbitrary code and achieve full control over the Splunk application environment. This may allow them to access, tamper with or delete security data; expose stored credentials; pivot to other internal systems; and more.

“Given Splunk’s central role in security monitoring and operational intelligence, compromise of the platform can significantly reduce organizational visibility, allowing additional malicious activity to proceed undetected,” Resecurity researchers added.

Patches and mitigation

Splunk released patches on June 10, and urged customers to upgrade to a fixed version: 10.4.0, 10.2.4 and 10.0.7, or higher.

On June 12, watchTowr researchers published a technical deep-dive into the flaw and published a “neutered” version of its exploit, which can be leveraged by organizations to check whether their Splunk Enterprise deployment is vulnerable to CVE-2026-20253.

A Nuclei detection template is also publicly available.

On June 15, the vendor confirmed that the vulnerability can be mitigated by disabling the PostgreSQL sidecar service, but noted that some functionality may be affected.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!