Splunk Enterprise CVE-2026-20253 Exploited: Patch Before June 21

If you run Splunk Enterprise, attackers are already exploiting CVE-2026-20253. The flaw is a missing authentication for a critical function (CWE-306) in a PostgreSQL sidecar service endpoint: an unauthenticated, remote attacker can use it to create or truncate arbitrary files on the host. CISA added it to its Known Exploited Vulnerabilities catalog on June 18, 2026, with a federal remediation due date of June 21, three days out.

Am I affected?

CVE-2026-20253 affects Splunk Enterprise on two release branches: 10.2 versions before 10.2.4, and 10.0 versions before 10.0.7. Splunk fixed it in 10.4.0, 10.2.4, and 10.0.7. Versions 9.4 and earlier are not affected. Check the build running in your environment against these ranges, and see Splunk’s advisory at advisory.splunk.com for the full list and fixed builds.

The vulnerable component is a PostgreSQL sidecar service endpoint. For the flaw to be reachable, that endpoint needs to be network-accessible without authentication controls between the attacker and the service. In environments where Splunk’s backend services are isolated from external networks, direct exposure is reduced, but patching remains the required action regardless.

What to do now

1. Patch using the fixed build in Splunk’s advisory. Apply the version Splunk specifies for your release branch. This is the only durable fix. The federal due date is June 21, 2026, three days from now. For organizations that are not US federal agencies, the same short window is a reasonable internal target for any internet-facing Splunk deployment.
2. If you cannot patch within hours, restrict access to the PostgreSQL sidecar port at the network or host level. Block inbound connections to the vulnerable endpoint from anything that should not reach it. The honest cost: auxiliary services or ingest pipelines that rely on that endpoint may be affected, so verify connectivity before applying the restriction and plan for a quick patch to follow.
3. Review file system activity on hosts running Splunk Enterprise. An unauthenticated file-write primitive can be used to plant files before patching closes the window. After patching, check for unexpected files in directories that Splunk processes write to, compare file modification timestamps against access logs, and treat any unexpected files as a potential indicator of prior access rather than noise.

How it is being exploited

CISA’s KEV listing is the primary-source confirmation of active exploitation. The catalog records CVE-2026-20253 with a date added of June 18, 2026 and a federal remediation due date of June 21, 2026. Known ransomware campaign use is listed as Unknown at this time.

NVD published CVE-2026-20253 on June 10, 2026 with a CVSS 3.1 base score of 9.8 (Critical), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H: network-reachable, no privileges and no user interaction, with full impact to confidentiality, integrity, and availability. EPSS from FIRST sits at about 1.7 percent (74th percentile) as of June 18, 2026 and will move as exploitation data accrues. The 9.8 score and the KEV listing point the same way: this is a priority regardless of where EPSS settles.

No indicators of compromise have been published by a primary source at this writing. For the latest technical detail, work directly from Splunk’s advisory and the CISA KEV entry.

How VulnMonitor helps

VulnMonitor keeps a live inventory of what you run, so when CISA added CVE-2026-20253 on June 18, VulnMonitor reconciled that entry against your Splunk Enterprise assets and ranked it by KEV status. A three-day federal deadline on an unauthenticated file-write flaw sorts to the top of any queue. It does not stop the attack itself, so the patch above is still the action that closes the risk. Knowing which Splunk builds are in scope is the first step toward closing it.

Updates

• 2026-06-18, 17:00 UTC Initial post. CVE-2026-20253 added to CISA KEV on June 18, 2026. Federal due date June 21, 2026.
• 2026-06-18, later Correction. NVD published CVE-2026-20253 on June 10, 2026 with CVSS 9.8 (Critical), not pending as first stated. Added the affected ranges (10.2 before 10.2.4, 10.0 before 10.0.7; 9.4 and earlier unaffected) and fixed builds (10.4.0, 10.2.4, 10.0.7) per Splunk’s advisory. EPSS is about 1.7 percent (74th percentile).