Threat Advisories

CVE-2026-20253: Splunk Enterprise Flaw Lets Unauthenticated Attackers Write Files

5 min read
CVE-2026-20253: Splunk Enterprise Flaw Lets Unauthenticated Attackers Write Files

A critical missing-authentication flaw in Splunk Enterprise, tracked as CVE-2026-20253, lets an unauthenticated attacker create or truncate arbitrary files on affected servers. It carries a CVSS 3.1 score of 9.8 and was added to CISA's Known Exploited Vulnerabilities catalog on June 18, 2026. If you run Splunk Enterprise 10.2 or 10.0, upgrade to 10.2.4 or 10.0.7 right away, or disable the PostgreSQL sidecar service until you can.

What is CVE-2026-20253?

CVE-2026-20253 is a missing-authentication vulnerability (CWE-306) in a PostgreSQL sidecar service endpoint bundled with Splunk Enterprise. The endpoint exposes file operations without any authentication controls, so any network-reachable user can invoke them without credentials. That gap lets an attacker create new files or truncate existing ones on the underlying server, with no login and no user interaction required. The issue was reported by security researcher Alex Hordijk (hordalex) and is documented in Splunk's advisory SVD-2026-0603.

Arbitrary file creation and truncation may sound narrow, but in practice it gives an attacker a foothold to overwrite configuration files, corrupt logs, or stage follow-on activity. On a logging and security analytics platform, the ability to truncate files is especially concerning because it can be used to destroy the very evidence defenders rely on.

What products and versions are affected?

The vulnerability affects two release branches of self-hosted Splunk Enterprise:

  • Splunk Enterprise 10.2, versions below 10.2.4
  • Splunk Enterprise 10.0, versions below 10.0.7

Splunk Enterprise 9.4 and earlier are not affected, according to the CVE record. The flaw lives in the PostgreSQL sidecar service, so deployments that run that component are in scope.

If you are unsure which version you are running, check before assuming you are clear. The affected branches are recent releases, so organizations that upgraded promptly to the 10.x line are the ones most likely exposed here.

How severe is it?

This is a critical-severity vulnerability. The CVE record assigns a CVSS 3.1 base score of 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

The vector tells the story. Exploitation is possible over the network (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), and needs no user interaction (UI:N). An attacker only needs network reachability to the vulnerable endpoint. There is no credential to steal, no phishing step, and no victim action to wait for.

CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog on June 18, 2026, with a remediation due date of June 21, 2026. A KEV listing means CISA has evidence the flaw is being exploited in the wild, which moves this from a theoretical risk to an active one. CISA lists known use in ransomware campaigns as "Unknown" at this time.

Are patches available?

Yes. Splunk has released fixed versions for both affected branches:

  • Splunk Enterprise 10.2.4 (fixes the 10.2 branch)
  • Splunk Enterprise 10.0.7 (fixes the 10.0 branch)

Upgrade details are in Splunk's security advisory. Given the KEV listing and the unauthenticated, network-reachable nature of the flaw, treat patching as same-day urgency for any internet-facing or broadly network-reachable Splunk Enterprise instance.

If you cannot upgrade immediately, Splunk notes that you can mitigate the vulnerability by disabling the PostgreSQL sidecar service. Treat this as a stopgap, not a substitute for patching.

What should you do right now?

We recommend working through these steps in order:

  1. Patch immediately. Upgrade affected Splunk Enterprise instances to 10.2.4 or 10.0.7. Prioritize any instance reachable from the internet or from broad internal network segments.
  2. Apply the mitigation if you can't patch yet. Disable the PostgreSQL sidecar service to close the exposed endpoint until you can upgrade.
  3. Confirm your version. Verify the running version on every Splunk Enterprise host so nothing slips through. Remember that 9.4 and earlier are not affected, but 10.0 and 10.2 below the fixed releases are.
  4. Audit for tampering. Because the flaw allows file truncation, review logs and configuration files for signs of modification or destruction, especially on instances that were network-reachable before patching.
  5. Monitor for exploitation. Watch for unexpected file changes around the PostgreSQL sidecar service and unusual network connections to the affected endpoint.

CISA's KEV remediation due date of June 21, 2026 has already passed, so federal agencies and any organization that follows KEV timelines should treat this as overdue rather than upcoming.

How Halo Security can help

Finding every affected asset is the hard part of responding to a flaw like this. You can only patch what you know about, and Splunk Enterprise instances have a way of accumulating in places that fall outside a central inventory.

Halo Security's Server Scanning examines your internet-facing servers for vulnerabilities like CVE-2026-20253, so you can quickly see which hosts are exposed across your external attack surface. Because the flaw is unauthenticated and network-reachable, knowing exactly which of your servers expose the affected service is the first step toward closing the gap.

Halo Security helps prioritize findings against the CISA KEV catalog, so vulnerabilities under active exploitation rise to the top of your queue automatically. You can read more about how we identify and prioritize Known Exploited Vulnerabilities to focus remediation where it matters most. If you want a fuller picture of how exposed software like Splunk fits into your broader risk posture, our external vulnerability management approach pairs continuous scanning with expert remediation guidance.

FAQ

Is CVE-2026-20253 being actively exploited?

CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog on June 18, 2026, which indicates confirmed exploitation in the wild. Whether it has been used in ransomware campaigns is listed as unknown.

How can I tell if I'm affected?

Check your Splunk Enterprise version. You are affected if you run version 10.2 below 10.2.4 or version 10.0 below 10.0.7. Splunk Enterprise 9.4 and earlier are not affected.

How quickly do I need to patch?

Treat this as same-day urgency for any internet-facing or broadly network-reachable Splunk Enterprise instance, since the flaw is unauthenticated and already KEV-listed. CISA set a remediation due date of June 21, 2026, which has now passed.

What is a KEV, and why does it matter here?

A Known Exploited Vulnerability is a flaw CISA has confirmed is being exploited in the wild. You can read our explainer on what KEVs are for more, but the short version is that KEV listing is a strong signal to prioritize patching now rather than later.

What if I can't upgrade immediately?

Splunk notes that you can mitigate the vulnerability by disabling the PostgreSQL sidecar service. Treat this as a temporary measure and upgrade to a fixed version as soon as you can.

Want to find your exposure fast?

Want to see which of your servers are exposed to CVE-2026-20253 across your attack surface? Halo Security's vulnerability scanning makes it easy to find every affected host in minutes so you can patch with confidence.

New CVEs land daily. Halo Threat Intelligence scores each one's internet-facing exposure with the Surface Signal 1-5 rating so you know what to prioritize.