CVE-2026-20253
published 2026-06-10CVE-2026-20253: In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-21
Exploited in the wild
EPSS
88.17%
99.7th percentile
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| splunk | splunk | >= 10.0.0 < 10.0.7 | 10.0.7 |
| splunk | splunk | >= 10.2.0 < 10.2.4 | 10.2.4 |
| splunk | splunk_enterprise | >= 10.0 < 10.0.7 | 10.0.7 |
| splunk | splunk_enterprise | >= 10.2 < 10.2.4 | 10.2.4 |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /{{region}}/splunkd/__raw/v1/postgres/recovery/backup HTTP/1.1
otherAuthorization: Basic ZGFnOg==
- →Detect unauthenticated POST requests to the PostgreSQL sidecar backup/restore endpoints. The Nuclei template matches HTTP 400 responses containing 'Failed to decode' in the body as a probe indicator.
- →Monitor for requests to /splunkd/__raw/v1/postgres/recovery/backup or /restore without valid authentication headers, particularly from external/untrusted network sources.
- →Alert on creation or modification of .pgpass files under the Splunk data directory, which is a key step in the exploit chain to extract the postgres_admin password. ↗
- →Monitor for unexpected writes to Python scripts under /opt/splunk/etc/apps/, especially ssg_enable_modular_input.py, which is targeted for overwrite to achieve RCE. ↗
- →Hunt for use of PostgreSQL lo_export function in database activity logs, which is leveraged to write attacker-controlled content to the Splunk file system during the restore phase. ↗
- →Use FOFA or similar internet-scanning intelligence to identify exposed Splunk instances: body contains both 'enterprise' and 'splunk'.
- ·Splunk Cloud Platform is NOT affected by this vulnerability as Postgres sidecars are not used in that product. ↗
- ·Splunk Enterprise versions 9.4 and earlier are not affected; only versions 10.0.0–10.0.6 and 10.2.0–10.2.3 are vulnerable. ↗
- ·Disabling the PostgreSQL sidecar service as a mitigation will break Edge Processor, OpAmp, or SPL2 data pipelines on affected instances. ↗
- ·Splunk Enterprise 10.4 is not affected by this vulnerability. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Splunk Enterprise/Cloud Platform PostgreSQL Sidecar Service Endpoint missing authentication (SVD-2026-0603)
vuldb·2026-06-10·CVSS 9.8
CVE-2026-20253 [CRITICAL] Splunk Enterprise/Cloud Platform PostgreSQL Sidecar Service Endpoint missing authentication (SVD-2026-0603)
A vulnerability, which was classified as critical, has been found in Splunk Enterprise and Cloud Platform. Affected by this issue is some unknown functionality of the component PostgreSQL Sidecar Service Endpoint. The manipulation leads to missing authentication.
This vulnerability is uniquely identified as CVE-2026-20253. The attack is possible to be carried out remotely. No exploit exists.
It is advisable to upgrade the affected component.
GHSA
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a
ghsa_unreviewed·2026-06-10
CVE-2026-20253 [CRITICAL] CWE-306 In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
VulnCheck
splunk splunk Missing Authentication for Critical Function
vulncheck·2026·CVSS 9.8
CVE-2026-20253 [CRITICAL] splunk splunk Missing Authentication for Critical Function
splunk splunk Missing Authentication for Critical Function
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
Affected: splunk splunk
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations ar
CISA
Splunk Enterprise Missing Authentication for Critical Function Vulnerability
cisa·2026-06-18·CVSS 9.8
CVE-2026-20253 [CRITICAL] CWE-306 Splunk Enterprise Missing Authentication for Critical Function Vulnerability
Vulnerability: Splunk Enterprise Missing Authentication for Critical Function Vulnerability
Affected: Splunk Enterprise
Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring a
No detection rules found.
Nuclei
Splunk Enterprise & Cloud Platform - Unrestricted File Upload
nuclei·CVSS 9.8
CVE-2026-20253 [CRITICAL] Splunk Enterprise & Cloud Platform - Unrestricted File Upload
Splunk Enterprise & Cloud Platform - Unrestricted File Upload
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
Template:
id: CVE-2026-20253
info:
name: Splunk Enterprise & Cloud Platform - Unrestricted File Upload
author: watchtowrlabs,DhiyaneshDk
severity: critical
description: |
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenti
Checkpoint
22nd June – Threat Intelligence Report
blogs_checkpoint·2026-06-22
CVE-2026-42824 22nd June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Texas Parks and Wildlife Department has been affected by a third-party data breach involving its license system vendor. The incident exposed driver’s license information, passport numbers, emails, phone numbers, and residential addresses for 3,087,721 hunting and fishing license customers. Social Security numbers and payment dat
Hackernews
⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
blogs_hackernews·2026-06-22·CVSS 9.8
CVE-2026-24858 [CRITICAL] ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More
It’s Monday again.
This week’s threat list looks painfully familiar: abused integrations, fake tools, poisoned websites, ransomware crews trying to shut down security tools, and mobile malware asking for way too much control.
The annoying part is how little of this feels new. Weak credentials, sketchy downloads, browser extensions with too much access, and WordPress sites are used to push more attacks. Nothing clever. Just sloppy, cheap, and effective.
Here’s the Monday recap. Let’s get into the week’s mess.
## ⚡ Threat of the We
Bleepingcomputer
CISA: Splunk Enterprise flaw actively exploited, patch by Sunday
blogs_bleepingcomputer·2026-06-19·CVSS 9.8
CVE-2026-20253 [CRITICAL] CISA: Splunk Enterprise flaw actively exploited, patch by Sunday
## CISA: Splunk Enterprise flaw actively exploited, patch by Sunday
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to secure their systems by Sunday against a critical Splunk Enterprise vulnerability that is being exploited in attacks.
Tracked as CVE-2026-20253 , this security flaw affects Splunk Enterprise (versions 10.2.0 to 10.2.3 and 10.0.0 to 10.0.6) and allows remote attackers without privileges to create or truncate arbitrary files on vulnerable devices via a PostgreSQL sidecar service endpoint.
"The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials," the Splunk security team said in a se
Hackernews
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-11645 [HIGH] ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.
This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else's entry point.
Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.
## ⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day - G
Hackernews
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
blogs_hackernews·2026-06-13·CVSS 9.8
CVE-2026-20253 [CRITICAL] Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution.
The vulnerability, tracked as CVE-2026-20253 , is rated 9.8 on the CVSS scoring system.
"In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said in an alert this week.
"The vulnerability exists because the PostgreSQL sidecar service e
2026-06-10
Published
2026-06-18
Added to CISA KEV
Exploited in the wild