• Category: Security
  • Status: confirmed
  • Sources: Splunk SVD-2026-0603, Horizon3.ai, Help Net Security, CISA KEV
  • Summary: CVE-2026-20253 (CVSS 9.8) is a missing-authentication flaw on a Splunk Enterprise PostgreSQL sidecar service endpoint that lets an unauthenticated, network-reachable attacker create or truncate arbitrary files, chainable to DoS or RCE. Splunk and Resecurity confirmed active in-the-wild exploitation. CISA added it to the KEV catalog on 2026-06-18 with a federal remediation deadline of 2026-06-21. Affected: 10.0.0-10.0.6 and 10.2.0-10.2.3; patched in 10.0.7, 10.2.4, and 10.4.0.
  • Comments: watchTowr published technical analysis and a neutered proof-of-concept on 2026-06-12, and public Nuclei detection templates followed. Splunk confirmed on 2026-06-15 that disabling the PostgreSQL sidecar service mitigates the flaw with some loss of functionality.
  • Why it matters: Splunk Enterprise is core SOC and SIEM infrastructure, so an unauthenticated file-write reachable over the network gives attackers a direct path into the monitoring layer.

Send feedback on this story