VULNERABILITY OVERVIEW
A missing authentication control (CWE-306) on the PostgreSQL sidecar service endpoint allows any network-reachable unauthenticated attacker to create or truncate arbitrary files on the Splunk server. Researchers at watchTowr Labs demonstrated that this file-write primitive is chainable into full pre-auth RCE by overwriting a scheduled Python script executed under the Splunk service account. CISA added CVE-2026-20253 to KEV on June 18, 2026 after Splunk PSIRT confirmed limited in-the-wild exploitation; public PoC code is available on GitHub and no workaround exists—only patching remediates the issue.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
UNCHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
Splunk Enterprise 10.0.0–10.0.6 (fixed in 10.0.7) and 10.2.0–10.2.3 (fixed in 10.2.4); AWS deployments vulnerable by default; 9.4.x and earlier not affectedCITATIONS
- → https://advisory.splunk.com/advisories/SVD-2026-0603
- → https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html
- → https://www.picussecurity.com/resource/blog/splunk-cve-2026-20253-unauthenticated-remote-code-execution-vulnerability-explained
- → https://www.rescana.com/post/active-exploitation-of-critical-cve-2026-20253-in-splunk-enterprise-unauthenticated-rce-via-postgresql-sidecar-service