Skip to main content

Splunk Enterprise CVE-2026-20253

| EUVD-2026-36088 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-10 cisco GHSA-xgm5-jh99-wc4v
Splunk PostgreSQL Authentication Bypass
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 10, 2026 - 20:01 EUVD
Analysis Generated
Jun 10, 2026 - 18:35 vuln.today
CVE Published
Jun 10, 2026 - 17:16 nvd
CRITICAL 9.8

DescriptionCVE.org

In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.

AnalysisAI

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.4.2604.3 and 10.2.2510.14) allows remote attackers to create or truncate files on the host via an unauthenticated PostgreSQL sidecar service endpoint. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) reflects trivial network exploitation, and no public exploit identified at time of analysis, though the missing-auth root cause and Splunk's high-value position in enterprise SOCs makes prompt patching warranted.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable Splunk host
Delivery
Connect to PostgreSQL sidecar port
Exploit
Send unauthenticated file-operation request
Execution
Create or truncate target file
Persist
Tamper with config or drop payload
Impact
Execute as Splunk service account
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to the PostgreSQL sidecar service endpoint shipped with Splunk Enterprise and Splunk Cloud Platform - no credentials, no user interaction, and no non-default configuration are needed per the description, since the missing authentication is in the sidecar itself rather than gated behind an optional feature. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point in the same direction: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H scores 9.8 because exploitation is network-reachable, low-complexity, requires no privileges or user interaction, and yields full CIA impact - consistent with a missing-auth file-write primitive that can be chained into RCE on a Splunk indexer or search head. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to a Splunk indexer or search head - either from the internet (if exposed) or after gaining an initial foothold on the internal network - sends a crafted unauthenticated request to the PostgreSQL sidecar endpoint and instructs it to truncate or create a file at an attacker-chosen path. By targeting files such as Splunk configuration, authentication state, or a writable script path used by a scheduled task, the attacker escalates the file-write primitive into denial of service, configuration tampering, or code execution under the Splunk service account. …
Remediation Vendor-released patch: upgrade Splunk Enterprise to 10.2.4 or 10.0.7 (or later) on the appropriate maintenance branch, and confirm Splunk Cloud Platform tenants are on 10.4.2604.3 or 10.2.2510.14 (or later) - refer to https://advisory.splunk.com/advisories/SVD-2026-0603 for the official fixed-version matrix and any branch-specific guidance. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Splunk Enterprise and Cloud Platform deployments and verify current versions against affected ranges (10.2.4 / 10.0.7 for Enterprise; 10.4.2604.3 / 10.2.2510.14 for Cloud). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-20258 HIGH
7.1 Jun 10

Stored cross-site scripting in Splunk Enterprise (below 10.2.4, 10.0.7, 9.4.12, 9.3.13) and Splunk Cloud Platform (below
CVE-2026-20254 MEDIUM
5.7 Jun 10

CSS injection in Splunk Enterprise and Splunk Cloud Platform classic dashboards enables credential and sensitive data ex
CVE-2026-20255 MEDIUM
5.7 Jun 10

Classic dashboard URL validation bypass in Splunk Enterprise and Splunk Cloud Platform enables low-privileged authentica
CVE-2026-20256 MEDIUM
5.7 Jun 10

Classic dashboard drill-down links in Splunk Enterprise and Splunk Cloud Platform can be weaponized by low-privileged au

Share

CVE-2026-20253 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy