Splunk Enterprise Vulnerabilities Expose Systems to RCE, XSS, SSRF, and Data Theft

Splunk has patched multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform that could allow attackers to create or truncate files, run malicious scripts in a user’s browser, exfiltrate data from dashboards, and trigger server-side requests to internal systems.

The most severe issue is CVE-2026-20253, a critical unauthenticated file creation and truncation flaw in a PostgreSQL sidecar service endpoint. Splunk rates it 9.8 critical because any network-reachable attacker could invoke file operations without credentials.

Splunk published the advisories on June 10, 2026, as part of its security advisory update. Administrators should prioritize affected Splunk Enterprise 10.2 and 10.0 deployments, then review the wider Splunk Web and Splunk Secure Gateway issues in the same patch cycle.

Critical Splunk Flaw Allows Unauthenticated File Operations

CVE-2026-20253 affects Splunk Enterprise 10.2 versions below 10.2.4 and Splunk Enterprise 10.0 versions below 10.0.7. Splunk Enterprise 9.4 and earlier are not affected by this specific PostgreSQL sidecar issue.

The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls. Splunk says an unauthenticated user could create or truncate arbitrary files through the endpoint if the service is network reachable.

Splunk recommends upgrading to 10.4.0, 10.2.4, or 10.0.7 or higher. If an immediate upgrade is not possible, the Splunk advisory says administrators can disable the PostgreSQL sidecar service, but they should not do so on instances that use Edge Processor, OpAmp, or SPL2 data pipelines.

CVE	Severity	Affected area	Main impact
CVE-2026-20253	Critical, 9.8	PostgreSQL sidecar service endpoint	Unauthenticated arbitrary file creation or truncation
CVE-2026-20251	High, 8.8	Splunk Secure Gateway	Remote code execution through unsafe deserialization
CVE-2026-20252	High, 7.6	Dashboard Studio PDF export	Server-side request forgery to internal destinations
CVE-2026-20258	High, 7.1	Classic Dashboard HTML panel	Stored cross-site scripting in another user’s browser
CVE-2026-20254 to CVE-2026-20257	Medium, 5.7	Classic dashboards	Data exfiltration through validation bypasses

Splunk Secure Gateway Also Has an RCE Bug

Another major issue in the June batch is CVE-2026-20251, a high-severity remote code execution flaw in Splunk Secure Gateway. Splunk rates it 8.8 high.

The bug stems from unsafe deserialization of App Key Value Store data through the jsonpickle Python library. A low-privileged user without the admin or power role could exploit it through the Splunk Secure Gateway app.

Splunk fixed the issue in Splunk Enterprise 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13 or higher. The Secure Gateway advisory says administrators who do not use Splunk Mobile, Spacebridge, or Mission Control can turn off or remove the app as a mitigation.

Stored XSS Can Run Malicious JavaScript in Classic Dashboards

CVE-2026-20258 is a stored cross-site scripting flaw in Splunk Enterprise classic dashboards. A low-privileged user could store a malicious script in a classic dashboard HTML panel and cause it to run in another user’s browser.

Splunk says exploitation requires the attacker to trick the victim into initiating a request in their browser. The low-privileged user should not be able to trigger the exploit at will without that interaction.

The issue affects Splunk Web and depends on the dashboard_html_allow_embeddable_content setting. The XSS advisory says keeping that setting at its default value of false eliminates the attack surface for this specific vulnerability.

SSRF Bug Targets Dashboard Studio PDF Export

CVE-2026-20252 affects the Dashboard Studio PDF export feature. Splunk rates it 7.6 high because a low-privileged user could send server-side requests to arbitrary internal destinations.

The problem comes from trusted-domain validation that uses a prefix match and can be bypassed with attacker-controlled subdomains. Splunk also says the PDF export service follows HTTP redirects without revalidating each redirect target against the allowlist.

The SSRF advisory lists no workaround or detection rule, which makes patching the main defensive step. Administrators should also review which users can create dashboards and export dashboard content.

Classic Dashboard Bugs Can Leak Sensitive Data

Splunk also fixed four medium-severity dashboard vulnerabilities, tracked as CVE-2026-20254, CVE-2026-20255, CVE-2026-20256, and CVE-2026-20257. Each carries a CVSS score of 5.7.

These issues allow low-privileged users to craft classic dashboards that can exfiltrate data when a higher-privileged user views or interacts with them. The vulnerable patterns include CSS injection, incomplete external content validation, and protocol-relative URL handling.

Splunk says these flaws can bypass trusted-domain checks and send requests to untrusted domains. For security operations teams, that matters because Splunk dashboards often expose sensitive logs, alerts, tokens, internal system names, and security workflow data.

Fixed Versions and Mitigations

Splunk recommends upgrading affected Splunk Enterprise deployments to 10.4.0, 10.2.4, 10.0.7, 9.4.12, or 9.3.13 or higher, depending on the branch. The broader Splunk advisories also list fixed Splunk Cloud Platform versions for the cloud-affected issues.

For Splunk Cloud Platform, Splunk says it is actively monitoring and patching customer instances. Enterprise administrators still need to review local apps, dashboard permissions, trusted domains, and any self-managed Splunk components.

Because many of the advisories list no detections, patching and configuration hardening should take priority. Disabling unnecessary Splunk Web access, limiting dashboard creation rights, and keeping embeddable dashboard HTML disabled can reduce the risk while upgrade work continues.

• Upgrade Splunk Enterprise to the fixed branch version as soon as possible.
• Disable the PostgreSQL sidecar only if you do not depend on affected sidecar features.
• Turn off or remove Splunk Secure Gateway if your environment does not need it.
• Keep dashboard_html_allow_embeddable_content set to false.
• Restrict dashboard creation and editing to trusted roles.
• Configure the Classic Dashboards Trusted Domains List.
• Review exposed Splunk Web interfaces and remove unnecessary access.

Why Security Teams Should Move Quickly

Splunk often sits at the center of enterprise security operations. It collects logs, alerts, authentication events, endpoint telemetry, cloud activity, and incident response data from across the environment.

That makes exploitation more damaging than a typical web application flaw. A compromised Splunk deployment can give attackers insight into detections, internal systems, privileged activity, and response workflows.

Administrators should treat the June 2026 Splunk updates as a priority maintenance window, especially for exposed Splunk Web deployments, Splunk Enterprise 10.x instances with PostgreSQL sidecars, and environments that use Splunk Secure Gateway.

FAQ