ADVISORY SUMMARY
CVE-2026-20253 (CVSS 9.8 Critical) is a missing-authentication flaw in Splunk Enterprise's PostgreSQL sidecar service endpoint that allows any network-reachable unauthenticated attacker to create or truncate arbitrary files, chainable into full pre-authenticated remote code execution. Splunk PSIRT confirmed limited in-the-wild exploitation on June 18, 2026, and CISA added the CVE to the KEV catalog the same day — marking the first Splunk vulnerability ever added to the KEV list. Shadowserver tracks over 1,400 internet-exposed Splunk instances, and public PoC code is available since June 12.
AFFECTED SYSTEMS
MITIGATION GUIDANCE
Upgrade to Splunk Enterprise 10.4.0, 10.2.4, or 10.0.7 immediately — no workaround fully remediates the vulnerability. Restrict network access to Splunk management interfaces and the PostgreSQL sidecar service endpoint to trusted IP ranges only; the endpoint must not be reachable from untrusted networks or the internet. Implement network segmentation to isolate Splunk infrastructure. If an emergency maintenance window is unavailable, Splunk documents a temporary sidecar-disable workaround (note: this can break Edge Processor, OpAmp, and SPL2 data pipelines).
DETECTION SIGNATURES
Review Splunk server logs for unexpected access to the PostgreSQL sidecar service endpoint (/v1/postgres/ paths) and anomalous file creation activity. Monitor for unexpected process execution from within the Splunk service context, particularly Python script execution not initiated by a known user or scheduled search. Watch EDR telemetry for anomalous child processes spawned by Splunk services. Alert on filesystem writes to /opt/splunk/etc/apps/ paths not correlated with administrative deployment actions.
REFERENCES
- → https://advisory.splunk.com/advisories/SVD-2026-0603
- → https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- → https://nvd.nist.gov/vuln/detail/CVE-2026-20253