## Overview
CISA added Splunk Enterprise CVE-2026-20253 to the KEV catalog on June 18, 2026. The vulnerability allows unauthenticated remote attackers to execute arbitrary file operations via a PostgreSQL sidecar service endpoint. Affected versions include Splunk Enterprise 10.2.x below 10.2.4 and 10.0.x below 10.0.7. Versions 9.4 and earlier are unaffected. The KEV addition signals imminent exploitation risks and federal compliance deadlines for U.S. agencies.
## Technical Details
The PostgreSQL sidecar service endpoint lacks authentication controls. Attackers on any network segment with access to the endpoint can invoke file creation or truncation operations without credentials. This occurs because the service endpoint does not validate user identity. The flaw is present only in the specified version ranges of Splunk Enterprise 10.x. Splunk Enterprise 9.4 and earlier versions do not expose this endpoint.
## Impact
Successful exploitation enables attackers to write arbitrary files to the Splunk server filesystem or truncate critical system files. This could lead to full system compromise, data exfiltration, or persistent backdoors. The high CVSS score of 9.8 reflects the ease of exploitation and severe impact potential. No known public exploits were confirmed at time of KEV addition, but the vulnerability is actively being scanned.
## Mitigation
Upgrade Splunk Enterprise immediately to version 10.2.4 or later for 10.2.x releases, or to 10.0.7 or later for 10.0.x releases. If immediate upgrade is impossible, disable the PostgreSQL sidecar service. This requires modifying the Splunk configuration file to remove the service endpoint. Defenders must prioritize this patch due to the KEV catalog inclusion and active scanning observed in threat actor networks.
CSURFACE Threat Sensor