U.S. CISA adds Splunk Enterprise flaw to its Known Exploited Vulnerabilities catalog and urges agencies to fix it by Sunday

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Splunk Enterprise flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Splunk Enterprise flaw, tracked as CVE-2026-20253 (CVSS score of 9.8), to its Known Exploited Vulnerabilities (KEV) catalog.

The flaw CVE-2026-20253 is an improper authentication vulnerability in the PostgreSQL sidecar service of Splunk Enterprise that allows unauthenticated remote attackers to create or truncate arbitrary files on affected systems. The issue stems from missing authentication controls on a PostgreSQL sidecar service endpoint, enabling any network-reachable user to invoke file operations without valid credentials.

“In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.” reads the advisory. “The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.”

Successful exploitation could lead to data loss, service disruption, or further compromise depending on the files targeted.

The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted. Organizations unable to immediately apply the available patches should mitigate the risk by disabling the PostgreSQL sidecar service.

Splunk PSIRT confirmed it is aware of limited active exploitation of the vulnerability and urged customers to immediately upgrade to patched versions to mitigate the risk. The company did not disclose technical details about the attacks targeting this issue.

“In June 2026, the Splunk Product Security Incident Response Team (PSIRT) became aware of limited exploitation of this vulnerability. Splunk strongly recommends that customers upgrade to a fixed software release to remediate this vulnerability.” continues the advisory.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix the vulnerability by the end of this week, on June 21, 2026.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)