Critical Splunk Enterprise Flaw Exposes Pre-Auth File Write and RCE Path
Splunk issued urgent fixes for CVE-2026-20253, a critical CVSS 9.8 vulnerability in Splunk Enterprise that allows unauthenticated arbitrary file creation and truncation through a PostgreSQL sidecar service endpoint missing authentication controls. The flaw affects supported Splunk Enterprise releases prior to 10.4.0, 10.2.4, 10.0.7, 9.4.12, and 9.3.13 depending on branch, and Splunk said Splunk Cloud is not affected because it does not use Postgres sidecars. Splunk and national cyber authorities urged administrators to apply updates immediately, noting that no vendor detections or workarounds were initially available for the core issue.
Public technical analysis from watchTowr Labs showed the bug can be reached through Splunk Web on port 8000, which proxies requests to localhost-only PostgreSQL recovery endpoints, enabling attackers to abuse /v1/postgres/recovery/backup and /restore for filesystem access. Researchers demonstrated a full pre-auth exploitation chain that used path traversal, PostgreSQL connection-string injection, local .pgpass credentials, and PostgreSQL large-object export to gain arbitrary file write as the splunk user, then overwrite a Splunk Python script to achieve remote code execution. Splunk also disclosed additional Enterprise flaws including CVE-2026-20251 (CVSS 8.8) in the Splunk Secure Gateway app due to unsafe jsonpickle deserialization, plus stored XSS and SSRF issues, prompting guidance to patch quickly, restrict dashboard creation and web exposure, and disable or remove vulnerable components where immediate upgrades are not possible.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Metasploit scanner pull request opened for CVE-2026-20253
On 2026-06-19, a Rapid7 Metasploit Framework pull request proposed a scanner module to detect CVE-2026-20253 in Splunk’s PostgreSQL sidecar recovery endpoint. The module description showed unauthenticated file-operation behavior on vulnerable versions such as 10.2.3 and noted that patched 10.2.4 requires a Splunk token in the Authorization header.
Splunk confirms limited exploitation of CVE-2026-20253
Splunk subsequently confirmed limited exploitation of CVE-2026-20253 in June 2026 and urged customers to upgrade immediately. The confirmation followed earlier public reporting and CISA action around the actively exploited flaw.
CISA sets June 21 remediation deadline for CVE-2026-20253
Following its KEV listing, CISA required federal civilian agencies to remediate CVE-2026-20253 by 2026-06-21 under Binding Operational Directive 26-04. The agency warned that internet-exposed Splunk Enterprise instances were especially at risk and urged immediate mitigation and forensic triage.
CISA adds CVE-2026-20253 to KEV catalog
On 2026-06-18, CISA added Splunk Enterprise vulnerability CVE-2026-20253 to its Known Exploited Vulnerabilities catalog. The KEV update identified the flaw as a missing authentication issue enabling arbitrary file creation or truncation via a PostgreSQL sidecar endpoint and directed organizations to apply vendor mitigations under BOD 26-04.
Resecurity reports active exploitation of CVE-2026-20253
On 2026-06-16, Resecurity reported active exploitation of CVE-2026-20253, describing the flaw as a pre-authentication remote code execution issue affecting Splunk Enterprise and certain Splunk Cloud Platform releases. The report said exploitation could enable arbitrary code execution, data exposure or manipulation, persistence, credential theft, defense evasion, and lateral movement, and urged immediate mitigation and investigation for compromise.
watchTowr publicly details CVE-2026-20253 exploit chain
On 2026-06-13, watchTowr Labs publicly described how CVE-2026-20253 could be exploited through Splunk’s web proxy to reach localhost PostgreSQL sidecar endpoints and gain arbitrary file operations. The researchers showed escalation via PostgreSQL connection-string injection, abuse of local .pgpass credentials, and malicious SQL restoration to obtain arbitrary file write as the splunk user.
watchTowr demonstrates remote code execution from the flaw
watchTowr’s proof of concept showed the arbitrary file write could be turned into remote code execution by overwriting a Splunk Python script that is executed by the product. The researchers also released a limited detection script to test whether access to the vulnerable backup endpoint was blocked.
Nuclei template pull request opened for CVE-2026-20253
On 2026-06-12, a GitHub pull request for ProjectDiscovery nuclei templates referenced CVE-2026-20253. The provided content indicates workflow activity around adding detection content for the Splunk vulnerability, though technical details are truncated.
Splunk clarifies Splunk Cloud is not affected by CVE-2026-20253
On 2026-06-12, Splunk updated its advisory to state that Splunk Cloud is not affected because it does not use Postgres sidecars. This narrowed the impact of CVE-2026-20253 to affected Splunk Enterprise deployments.
Splunk discloses additional Enterprise flaws including RCE, XSS, and SSRF
On 2026-06-10, Splunk also disclosed multiple other high and critical Splunk Enterprise vulnerabilities, including CVE-2026-20251, CVE-2026-20258, and CVE-2026-20252. The issues included unsafe deserialization leading to remote code execution, stored cross-site scripting, server-side request forgery, and dashboard-related data exfiltration risks.
Splunk publishes advisory for CVE-2026-20253
On 2026-06-10, Splunk disclosed CVE-2026-20253, a critical Splunk Enterprise flaw caused by missing authentication on a PostgreSQL sidecar service endpoint. Splunk said the issue allows unauthenticated arbitrary file creation and truncation and recommended upgrading to fixed versions 10.4.0, 10.2.4, 10.0.7, or later.
Splunk discloses multiple product vulnerabilities and urges updates
On 2026-06-10, Splunk published security advisories covering vulnerabilities in Splunk SOAR, Splunk Enterprise, and Splunk Cloud Platform. The Canadian Centre for Cyber Security urged administrators to review Splunk’s advisories and apply the necessary updates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
26 references tracked. Mallory keeps watching after this page renders.
Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz
zscaler.com
Open sourceU.S. CISA adds Splunk Enterprise flaw to its Known Exploited Vulnerabilities catalog and urges agencies to fix it by Sunday
securityaffairs.com
Open sourceCISA Warns of Splunk Enterprise Critical Function Vulnerability Actively Exploited in Attacks
cybersecuritynews.com
Open sourceAdd Splunk PostgreSQL sidecar unauthenticated file operation scanner (CVE-2026-20253) by kenlacroix · Pull Request #21586 · rapid7/metasploit-framework · GitHub
github.com
Open sourceSplunk security advisory (AV26-586) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSVD-2026-0603 | Splunk Vulnerability Disclosure
advisory.splunk.com
Open sourceCVE Record: CVE-2026-20253
cve.org
Open sourceWatchtowr Labs
labs.watchtowr.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Splunk Enterprise and Cloud Platform Vulnerabilities Allow Remote Code Execution and SSRF
Splunk has disclosed six critical security vulnerabilities affecting both Splunk Enterprise and Splunk Cloud Platform, exposing organizations to significant risks. The vulnerabilities include multiple cross-site scripting (XSS) flaws, an unauthenticated server-side request forgery (SSRF) vulnerability, and other weaknesses in Splunk’s web components. Two of the most notable XSS vulnerabilities are CVE-2025-20367, a reflected XSS in the /app/search/table endpoint, and CVE-2025-20368, a stored XSS in the Saved Search and Job Inspector features. Both XSS flaws can be exploited by low-privileged users to execute malicious JavaScript in the browsers of other users, potentially compromising user sessions and exposing sensitive data. The SSRF vulnerability, CVE-2025-20371, is particularly severe as it allows unauthenticated attackers to coerce Splunk into making REST API calls on behalf of authenticated high-privilege users, which could lead to further compromise of internal systems. These vulnerabilities affect multiple versions of Splunk Enterprise, specifically those below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as various versions of Splunk Cloud Platform. Successful exploitation of these flaws could allow attackers to gain unauthorized access, escalate privileges, and perform actions on behalf of legitimate users. Splunk has released patches addressing all six vulnerabilities and urges administrators to update their deployments immediately to mitigate the risks. The vulnerabilities highlight the importance of regular security assessments and prompt patch management in enterprise environments. Organizations using affected Splunk versions are advised to review their access logs for signs of exploitation and to apply the security updates without delay. The disclosure underscores the potential impact of web-based vulnerabilities in widely used security and analytics platforms. Security teams should also consider reviewing user permissions and monitoring for unusual activity in Splunk environments. The coordinated disclosure and rapid patching demonstrate the ongoing efforts by vendors and the security community to address critical flaws. These vulnerabilities, if left unpatched, could be leveraged in targeted attacks against organizations relying on Splunk for security monitoring and data analytics. The incident serves as a reminder of the evolving threat landscape and the need for vigilance in securing enterprise software. Splunk’s response includes detailed advisories and guidance for affected customers. The company has not reported any active exploitation in the wild at the time of disclosure, but the technical details provided could accelerate attempts by threat actors to develop exploits. Organizations are encouraged to stay informed about security advisories and to implement layered defenses to reduce the risk of compromise.
Jun 29, 2026
Splunk RCE via `/splunkd/__upload/indexing/preview` and `unarchive_cmd` (CVE-2026-20163)
Splunk disclosed a high-severity **remote command execution (RCE)** vulnerability, **CVE-2026-20163** (CVSS **8.0**), affecting *Splunk Enterprise* and *Splunk Cloud Platform*. The issue is a **command injection** weakness (CWE-77) in the REST endpoint `/splunkd/__upload/indexing/preview`, where user-controlled input is insufficiently sanitized during the “uploaded file preview before indexing” workflow. Exploitation requires an authenticated user whose role includes the high-privilege capability `edit_cmd`; under that condition, an attacker can abuse the `unarchive_cmd` parameter to execute arbitrary shell commands on the underlying host. Reported affected versions include Splunk Enterprise **10.0.0–10.0.3**, **9.4.0–9.4.8**, and **9.3.0–9.3.9**, plus Splunk Cloud Platform versions below **10.2.2510.5**, **10.1.2507.16**, **10.0.2503.12**, and **9.3.2411.124**; fixed thresholds are Enterprise **10.0.4**, **9.4.9**, **9.3.10**, and **10.2.0** (with the base Enterprise **10.2** release noted as not affected). The disclosure credits researcher **Danylo Dmytriiev (DDV_UA)** along with Splunk personnel **Gabriel Nitu** and **James Ervin**.
Jun 29, 2026
Splunk fixes flaws exposing internal data and enabling denial of service
Splunk released patches for three vulnerabilities affecting **Splunk Enterprise**, **Splunk Cloud Platform**, and the **Splunk AI Toolkit**, including a high-severity denial-of-service bug and two issues that can expose sensitive data. `CVE-2026-20240` affects the `splunk_archiver` app, where a low-privileged user can abuse the `coldToFrozen.sh` script to rename critical directories and render an instance inoperable. `CVE-2026-20239` stems from improper output sanitization in the TcpChannel component and can leak session cookies and cleartext HTTP response bodies into the `_internal` log index, while `CVE-2026-20238` is an access-control weakness in the Splunk AI Toolkit that can bypass intended search restrictions and expose restricted data. Splunk said the issues were fixed in updated releases, including **AI Toolkit 5.7.3** for `CVE-2026-20238`, and urged customers to upgrade affected deployments. The company also published interim mitigations for organizations that cannot patch immediately, including restricting access to the `_internal` index to administrators, disabling the **Splunk Archiver** application, reviewing inherited roles and permissions, and removing the problematic `srchFilter` entry from local configuration where applicable. The advisories highlight risks to both platform availability and the confidentiality of operational data stored in Splunk environments.
Jun 29, 2026