ADVISORY SUMMARY
CVE-2026-20253 (CVSS 9.8 Critical) is a missing-authentication vulnerability in Splunk Enterprise's PostgreSQL sidecar service endpoint allowing unauthenticated attackers to create or truncate arbitrary files, which researchers chained to full pre-auth RCE. CISA added it to the KEV catalog on June 18 with a 3-day federal patch deadline. A public PoC (WatchTowr) is available, exploitation has been confirmed by Splunk PSIRT, and over 1,400 internet-exposed Splunk instances are tracked by Shadowserver. Compromise of Splunk (the SIEM) can blind defenders, tamper with detection logic, and expose all ingested log data.
AFFECTED SYSTEMS
MITIGATION GUIDANCE
Upgrade Splunk Enterprise to 10.0.7, 10.2.4, or 10.4.0+. If immediate patching is not possible, disable the PostgreSQL Sidecar Service by adding 'disabled = true' under [splunk-launch] in $SPLUNK_HOME/etc/system/local/server.conf and restarting Splunk (note: disables Edge Processor, OpAmp, and SPL2 pipelines). Restrict network access to sidecar port to loopback (127.0.0.1) only via firewall rules.
DETECTION SIGNATURES
Monitor for unauthorized HTTP requests to /v1/postgres/recovery/backup and /v1/postgres/recovery/restore endpoints. Check for unexpected modifications to /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py. Audit Splunk script directories for injected payloads. Review for new or modified cron entries and unexpected child processes spawned by the Splunk service account. Rotate all credentials and secrets if exposure is confirmed.
REFERENCES
- → https://advisory.splunk.com/advisories/SVD-2026-0603
- → https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- → https://nvd.nist.gov/vuln/detail/CVE-2026-20253
- → https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html