Information Security News

Splunk Enterprise Vulnerability Exploited in Active Attacks

by · Published · Updated

Splunk Enterprise vulnerability CVE-2026-20253 in the PostgreSQL sidecar service exploited in active attacks

Attackers have already begun abusing a critical Splunk Enterprise vulnerability. Meanwhile, hundreds of open instances of the product remain reachable on the internet. So the window to patch is closing fast.

What Is CVE-2026-20253?

The flaw carries the identifier CVE-2026-20253. It scored 9.8 Critical on the CVSS 3.1 scale. The bug affects Splunk Enterprise 10.2 before version 10.2.4 and the 10.0 branch before version 10.0.7. However, Splunk Enterprise 9.4 and earlier releases are not affected.

Why the Bug Is So Dangerous

The problem lives in a PostgreSQL sidecar service. That service did not check authentication. As a result, any user with network access to a vulnerable instance could act without credentials. Specifically, an attacker could create arbitrary files or truncate existing ones. Such a scenario threatens both data integrity and system availability. Worse still, public research shows the file-write flaw can chain into pre-authenticated remote code execution.

Active Exploitation and the CISA Listing

The Splunk PSIRT reported that it learned of limited exploitation in June 2026. Soon after, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog. For U.S. federal agencies, that step creates a duty to fix the issue first on internet-facing systems. Notably, this is the first Splunk flaw ever placed on the KEV list.

How Many Systems Are Exposed?

According to Shadowserver, more than 1,400 open Splunk instances are visible online. Most of them sit in North America, where researchers found 952 systems. Another 223 live in Europe. Still, it remains unclear how many of these instances are truly vulnerable to the current attacks.

How to Fix It

Splunk recommends upgrading Splunk Enterprise to version 10.4.0, 10.2.4, 10.0.7, or later. If a quick update is not possible, administrators can disable the PostgreSQL sidecar service instead. To do so, add a [postgres] section with the parameter disabled = true to the file $SPLUNK_HOME/etc/system/local/server.conf. Then restart Splunk Enterprise.

Check Dependencies First

The company warns that this workaround needs care. Before applying it, review your dependencies. Disabling PostgreSQL breaks Edge Processor, OpAmp, and SPL2 data pipelines. It may also disrupt related helper processes. Even so, Splunk says the system will still run basic searches, index data, and display dashboards.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Tags:

Leave a Reply