CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2026-20253

CVSS 9.8v3.1pub. 2026-06-10upd. 2026-06-19

In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

🤖 AI Analysis
How it works

The PostgreSQL sidecar service in Splunk Enterprise exposes a network endpoint that does not require authentication (CWE-306: Missing Authentication for Critical Function). Any user with network access to this endpoint can send requests that trigger file system operations — creating new files or truncating existing ones to zero length. The lack of access controls makes the attack possible without possessing any credentials in the system.

Impact

An attacker can create arbitrary files or destroy the contents of existing files on the server, which may lead to system disruption, deletion of critical configuration data, or — in combination with other techniques — remote code execution (RCE).

Mitigation & patch

Update Splunk Enterprise to version 10.2.4 or later (for the 10.2 branch) or to version 10.0.7 or later (for the 10.0 branch). If immediate patching is not possible, the vendor recommends disabling the PostgreSQL sidecar service as a temporary workaround.

Who is affected

Splunk Enterprise in versions 10.2 below 10.2.4 and in versions 10.0 below 10.0.7. Versions 9.4 and earlier are not vulnerable.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Splunk

    APP
    Splunk
    10.0.0 – 10.0.7 (bez)10.2.0 – 10.2.4 (bez)

CISA KEV — detailsi

Vendori
Splunk
Producti
Enterprise
Added to KEVi
June 18, 2026
Remediation deadline (US Federal)i
June 21, 2026(overdue)
Required action (CISA)i

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CISA descriptioni

Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 21 czerwca 2026
CWE
References

Related vulnerabilities

CVE-2022-32158CRITICAL9.0ten sam produkt

Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarde...

CVE-2017-17067CRITICAL9.8ten sam produkt

Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6...

CVE-2016-10126CRITICAL9.8ten sam produkt

Splunk Web in Splunk Enterprise 5.0.x before 5.0.17, 6.0.x before 6.0.13, 6.1.x before 6.1.12, 6.2.x before 6....

CVE-2014-0160HIGH7.5⚠ KEVten sam produkt

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Exten...

CVE-2026-20251HIGH8.8ten sam produkt

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 1...