Top stories
Splunk Enterprise unauthenticated file-write flaw CVE-2026-20253 is under active exploitation
- Category: Security
- Status: confirmed
- Sources: Splunk advisory SVD-2026-0603, Horizon3.ai analysis, SecurityWeek, CISA KEV
- Summary: CVE-2026-20253 (CVSS 9.8) is a missing-authentication flaw on a Splunk Enterprise PostgreSQL sidecar service endpoint that lets an unauthenticated, network-reachable attacker create or truncate arbitrary files, which can chain to denial of service, log-integrity loss, or remote code execution. It affects Splunk Enterprise 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3; versions 9.4 and earlier are not affected. Splunk patched it in 10.0.7 and 10.2.4. Public exploit analysis appeared on 2026-06-13, three days after disclosure, and CISA added it to the Known Exploited Vulnerabilities catalog on 2026-06-18 with a three-day federal remediation deadline.
- Why it matters: Splunk Enterprise is core SOC and log-analysis infrastructure, so an unauthenticated file-write to remote-code-execution path under active exploitation puts detection pipelines themselves at risk.
- Follow-up: Watch for confirmed RCE chains, ransomware follow-on, and patch adoption. Tracked in
memory/followups.md.