CISA Warns Actively Exploited Splunk Enterprise Flaw Needs Urgent Patching

CISA has added a critical Splunk Enterprise vulnerability to its Known Exploited Vulnerabilities catalog after attackers began exploiting the flaw in real-world attacks. The deadline for U.S. federal civilian agencies to fix the issue was June 21, 2026, which has now passed.

The vulnerability is tracked as CVE-2026-20253 and affects Splunk Enterprise 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6. According to the official Splunk advisory, unauthenticated attackers can create or truncate arbitrary files through a PostgreSQL sidecar service endpoint that lacks proper authentication controls.

The CISA alert says this type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risk to the federal enterprise. Agencies covered by the directive had to patch or apply approved mitigations by June 21.

What CVE-2026-20253 Allows Attackers To Do

CVE-2026-20253 is a missing-authentication flaw in Splunk Enterprise’s PostgreSQL sidecar service endpoint. In simple terms, a network-reachable attacker can invoke file operations without logging in.

Splunk rated the issue critical with a CVSS score of 9.8. The company said its Product Security Incident Response Team became aware of limited exploitation in June 2026 and strongly urged customers to move to fixed versions.

Security researchers later showed that the file-write primitive could be turned into remote code execution in practical attack scenarios. watchTowr Labs published a technical analysis explaining how attackers could chain the flaw to write controlled content to the Splunk filesystem and reach code execution.

Product	Affected Versions	Fixed Version
Splunk Enterprise 10.2	10.2.0 to 10.2.3	10.2.4 or later
Splunk Enterprise 10.0	10.0.0 to 10.0.6	10.0.7 or later
Splunk Enterprise 10.4	Not affected	10.4.0 or later
Splunk Enterprise 9.4 and earlier	Not affected	Not applicable
Splunk Cloud Platform	Not affected	Not applicable

Why CISA Set A Fast Patch Deadline

CISA added CVE-2026-20253 to its exploited-vulnerability catalog on June 18 after Splunk confirmed limited exploitation. The agency required Federal Civilian Executive Branch agencies to remediate the issue by June 21 under its newer risk-based patching process.

The flaw is dangerous because Splunk Enterprise often sits close to sensitive logs, security data, and operational telemetry. A compromised Splunk server can give attackers a valuable foothold inside an organization’s monitoring environment.

BleepingComputer reported that more than 1,400 internet-exposed Splunk instances were being tracked by Shadowserver around the time of the warning. It was not clear how many of those exposed systems were vulnerable to CVE-2026-20253.

• CVE-2026-20253 is under active exploitation.
• The flaw affects Splunk Enterprise 10.0 and 10.2 branches.
• Attackers do not need valid credentials to reach the vulnerable function if the endpoint is network-accessible.
• Public research showed a path from arbitrary file write to remote code execution.
• CISA’s federal patch deadline has already passed.

Public Exploit Research Raised The Urgency

Splunk released patches before CISA added the flaw to the KEV catalog. However, public exploit research quickly increased pressure on administrators because defenders had less time between disclosure, proof-of-concept publication, and active exploitation.

The watchTowr write-up showed how the vulnerability could be tested and chained in a lab environment. The researchers also released a detection artefact generator intended to help administrators check exposure without providing a full destructive exploit path.

The NVD entry describes the issue as unauthenticated arbitrary file creation or truncation through a PostgreSQL sidecar service endpoint. It also identifies the underlying weakness as missing authentication for a critical function.

How Admins Should Patch Or Mitigate

The safest fix is to upgrade affected Splunk Enterprise servers to a supported fixed release. Splunk Enterprise 10.2 deployments should move to 10.2.4 or later, while Splunk Enterprise 10.0 deployments should move to 10.0.7 or later.

Administrators who cannot immediately upgrade can disable the PostgreSQL sidecar service as a mitigation. The official Splunk security notice says this removes the vulnerable attack surface, but it also warns that the workaround breaks Edge Processor, OpAmp, and SPL2 data pipelines on affected instances.

Teams should also check whether their Splunk systems have been reachable from the internet or from untrusted internal networks. A Splunk instance does not need to be public-facing to matter, because attackers who already gained a foothold elsewhere may still reach internal management or service endpoints.

Admin Action	Purpose
Upgrade to Splunk Enterprise 10.2.4 or 10.0.7	Apply the vendor fix for affected branches
Move to 10.4.0 or later where appropriate	Use a branch not affected by this flaw
Disable the PostgreSQL sidecar only if patching is delayed	Reduce exposure until the upgrade can happen
Review internet exposure and firewall rules	Limit who can reach Splunk management and service endpoints
Hunt for suspicious file changes	Look for possible exploitation before or after patching

What To Check After Patching

Because exploitation has already been observed, patching should not be the only response. Security teams should review Splunk logs, operating system logs, file integrity data, and any unexpected changes under the Splunk installation path.

They should also look for signs of unauthorized file creation, file truncation, unusual backup or restore activity, new scripts, changed app files, and unexpected outbound traffic from Splunk servers. Any internet-facing Splunk Enterprise server in an affected version range should receive higher priority.

The CISA KEV listing makes the issue mandatory for federal agencies, but private companies should treat it with the same urgency if they run vulnerable Splunk Enterprise builds.

• Confirm the installed Splunk Enterprise version.
• Patch affected 10.0 and 10.2 deployments immediately.
• Confirm that Splunk Cloud Platform is not in scope for this issue.
• Restrict network access to Splunk management and sidecar endpoints.
• Check for unexpected files or modified scripts in Splunk directories.
• Review logs for suspicious backup, restore, and PostgreSQL sidecar activity.
• Use trusted exposure data and internal asset inventory to find forgotten Splunk instances.

Why This Flaw Matters

Splunk is widely used for security monitoring, log management, and operational visibility. That makes any unauthenticated flaw in Splunk Enterprise especially sensitive because attackers may target the systems defenders rely on to detect attacks.

The issue also shows how quickly vulnerability windows are shrinking. Splunk disclosed the flaw, researchers published technical analysis, Splunk confirmed limited exploitation, and CISA imposed a short remediation deadline within days.

BleepingComputer noted that CISA ordered federal agencies to apply fixes under Binding Operational Directive 26-04, which focuses patching on the vulnerabilities most likely to create real operational risk. The CVE-2026-20253 record confirms the flaw sits in a network-reachable PostgreSQL sidecar service endpoint with missing authentication controls.

FAQ