Top stories
Splunk Enterprise CVE-2026-20253 active exploitation, federal deadline 2026-06-21
- Category: Security
- Status: confirmed
- Sources: Splunk SVD-2026-0603, Horizon3.ai, Help Net Security, CISA KEV
- Summary: CVE-2026-20253 (CVSS 9.8) is a missing-authentication flaw on a Splunk Enterprise PostgreSQL sidecar service endpoint that lets an unauthenticated, network-reachable attacker create or truncate arbitrary files, chainable to DoS or RCE. Splunk and Resecurity confirmed active in-the-wild exploitation. CISA added it to the KEV catalog on 2026-06-18 with a federal remediation deadline of 2026-06-21. Affected: 10.0.0-10.0.6 and 10.2.0-10.2.3; patched in 10.0.7, 10.2.4, and 10.4.0.
- Comments: watchTowr published technical analysis and a neutered proof-of-concept on 2026-06-12, and public Nuclei detection templates followed. Splunk confirmed on 2026-06-15 that disabling the PostgreSQL sidecar service mitigates the flaw with some loss of functionality.
- Why it matters: Splunk Enterprise is core SOC and SIEM infrastructure, so an unauthenticated file-write reachable over the network gives attackers a direct path into the monitoring layer.