Splunk CVE-2026-20253: 1,400 Exposed Instances Under Active Unauthenticated RCE Attack

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
CVE-2026-20253, a CVSS 9.8 missing authentication flaw in Splunk Enterprise, is being actively exploited to give attackers unauthenticated remote code execution on one of the most widely deployed security monitoring platforms in enterprise environments.
Splunk CVE-2026-20253 unauthenticated RCE affects Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. Splunk released fixes on June 10, 2026, but threat actors began exploiting the vulnerability just eight days later. CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog on June 18 and issued a federal mandate requiring all Federal Civilian Executive Branch agencies to patch by June 21. That deadline has passed. Shadowserver tracks over 1,400 internet-exposed Splunk instances worldwide, more than 950 of them in North America, all reachable by the same exploit code WatchTowr Labs published on June 12.
The vulnerability resides in the PostgreSQL sidecar service bundled with Splunk Enterprise. This service exposes an HTTP endpoint that accepts recovery and file operation requests but performs no authentication. An attacker reachable on the network sends crafted requests to this endpoint and supplies any credentials, including empty strings. The sidecar passes those values to PostgreSQL tools without validation. Using PostgreSQL's lo_export function, the attacker writes arbitrary files to disk. On a typical Splunk deployment, that path leads directly to writing a Python script into a Splunk-owned directory, triggering execution through the process supervisor, and establishing a persistent reverse shell.
The risk here extends beyond a single compromised server. Splunk Enterprise is the SIEM and security operations center platform for thousands of organizations. Compromising it hands attackers access to every security event, log, and alert flowing through the organization's detection infrastructure. Credentials stored in Splunk inputs become readable. Alerting can be disabled. The platform's privileged network position enables lateral movement across the environment. Any Splunk Enterprise deployment on the affected versions that has not been patched since June 10 must be treated as a priority remediation today, not a scheduled maintenance item.
How Does the CVE-2026-20253 Exploit Work?
CVE-2026-20253 exploits a total absence of authentication in the PostgreSQL sidecar service that ships with Splunk Enterprise. The sidecar is a companion process that supports the Edge Processor, OpAmp, and SPL2 data pipeline features. It runs alongside the main Splunk daemon, exposes an HTTP endpoint, and accepts commands relayed from the Splunk web server. The flaw is not subtle: the service expects HTTP Basic authorization headers but applies no validation. It accepts any username and any password including empty strings and proceeds to execute the requested file operation.
The attack chain runs in four steps. The attacker first sends an unauthenticated HTTP request to the sidecar endpoint. The request includes PostgreSQL connection parameters in the URL including hostaddr=, dbname=, port=, and passfile= fields that direct the sidecar to open a database connection. The sidecar opens the connection without verifying the caller's identity.
In the second step, the attacker invokes PostgreSQL's large object export function (lo_export), which writes binary data from the database to a specified file path on the server's filesystem. The attacker controls both the content and the destination path. Typical targets are /opt/splunk/var/run/supervisor/pkg-run/ or other directories writable by the Splunk process.
In the third step, the attacker writes executable content. WatchTowr Labs' June 12 proof-of-concept demonstrated writing a Python script that, when loaded by Splunk's process supervisor, establishes a reverse connection to an attacker-controlled host. No web shell is required because the Splunk environment already has Python installed and the supervisor runs scripts automatically.
The fourth step is persistence. Modified Python scripts in the splunk_secure_gateway app survive service restarts and re-execute each time Splunk loads. Attackers observed in the wild are using this persistence path rather than temporary process injection, meaning cleanup requires verifying the integrity of Splunk's Python modules, not just killing a rogue process.
Unauthenticated Sidecar Access
Attacker sends HTTP request to the PostgreSQL sidecar endpoint with hostaddr=, dbname=, port=, and passfile= parameters. The sidecar accepts any credential including empty strings and opens the requested database connection.
Arbitrary File Write via lo_export
Attacker invokes PostgreSQL lo_export to write attacker-controlled binary content to a target path on the server filesystem, typically /opt/splunk/var/run/supervisor/pkg-run/ or a Splunk app directory.
Python Script Execution
Written Python script is loaded by Splunk's process supervisor, establishing an outbound reverse shell to the attacker's C2 host. Splunk's native Python runtime executes the payload with the Splunk service account's privileges.
Persistent Backdoor
Attacker modifies Python modules in the splunk_secure_gateway app. Scripts re-execute on every Splunk service restart, surviving reboots and routine maintenance until the compromised modules are identified and replaced.
Which Splunk Enterprise Versions Are Vulnerable?
The affected population is Splunk Enterprise deployments running versions 10.0.0 through 10.0.6 or 10.2.0 through 10.2.3. Splunk Enterprise 9.x and earlier are not affected by CVE-2026-20253. Splunk Cloud Platform is not affected. The Splunk Secure Gateway app must be enabled for the sidecar service to run, but Secure Gateway is enabled by default in all affected Enterprise versions, meaning the attack surface is active on most installations without any administrator action.
Shadowserver's internet scanning data puts the global count of internet-exposed Splunk instances at over 1,400. North America accounts for the largest share at 952, followed by Europe at 223. These are instances with the Splunk web interface directly reachable from the public internet. Internal deployments accessible from corporate networks without internet exposure face the same exploitation risk from any attacker who has already crossed the perimeter.
The sector distribution of Splunk users concentrates the risk in high-value targets. Financial services firms, healthcare networks, federal agencies, and large enterprise security operations centers all rely on Splunk Enterprise as their primary log aggregation and alerting platform. The implicit trust these organizations place in their SIEM makes compromise especially damaging. An attacker inside Splunk can monitor detection rules in real time and modify searches to create blind spots in alerting before launching further attacks.
Splunk's advisory confirmed that the June 10 patches introduced in versions 10.0.7, 10.2.4, and 10.4.0 fully resolve the authentication gap. Organizations running Splunk Cloud Platform do not need to take action. Organizations running any self-hosted Splunk Enterprise version in the 10.0.x or 10.2.x branches should check their installed version immediately.
The scope and urgency here parallels other recent critical SIEM and security infrastructure vulnerabilities covered in our analysis of CISA's June 2026 patch mandates for PAN-OS, Defender, and Langflow, where CISA's rapid addition to the KEV catalog signaled imminent widescale exploitation.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
CISA's Emergency Mandate and Active Exploitation Evidence
CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog on June 18, 2026, eight days after Splunk released the patch and six days after WatchTowr Labs published working exploit code. The KEV listing triggered an automatic federal remediation deadline under Binding Operational Directive 26-04, requiring all Federal Civilian Executive Branch agencies to patch by June 21. That deadline has passed as of today.
Splunk confirmed limited in-the-wild exploitation on June 18 alongside the CISA announcement. "The PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials," the Splunk security team stated in its advisory. Active exploitation was confirmed through telemetry showing Splunk instances generating anomalous outbound connections and unexpected file creation events consistent with the WatchTowr proof-of-concept attack chain.
The timeline is significant. Public PoC code has been available since June 12. That gives any threat actor more than ten days to weaponize the exploit against unpatched instances before the federal deadline. Splunk Enterprise CVE-2026-20253 joins a pattern of critical security infrastructure vulnerabilities exploited within days of PoC release, a pattern also seen with the FortiSandbox unauthenticated RCE flaws patched earlier this month.
CISA characterizes exploited Splunk vulnerabilities as "a frequent attack vector for malicious cyber actors" that "pose significant risks to the federal enterprise." The agency's three-day remediation window reflects the severity of the threat, given that compromising a SIEM platform exposes the full scope of an organization's security monitoring posture to the attacker.
“The PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.”
Splunk Security Team, SVD-2026-0610 Advisory, June 2026
Indicators of Compromise: Detecting CVE-2026-20253 in Your Environment
Detecting exploitation requires checking Splunk's internal access logs, the filesystem, and network telemetry. The attack leaves distinct traces at each step.
In network and HTTP logs, look for requests to the Splunk web server that contain the PostgreSQL connection parameters hostaddr=, dbname=, port=, or passfile= in URL query strings or POST body data. These parameters have no legitimate use in normal Splunk web interface traffic and indicate an attempt to invoke the sidecar service. Any external IP that sent such a request after June 10, 2026, should be treated as an exploitation attempt.
In the filesystem, check /opt/splunk/var/run/supervisor/pkg-run/ for any files with a modification timestamp after the last verified administrative change. Examine /opt/splunk/etc/apps/splunk_secure_gateway/ for unexpected or modified Python files. Run a recursive hash comparison against a known-good Splunk installation to surface any tampered modules. WatchTowr's public PoC created a file at /opt/splunk/share/splunk/search_mrsparkle/exposed/watchTowr.txt as a proof of write; the presence of this file confirms exploitation occurred.
In process telemetry, look for Splunk-spawned Python processes making outbound network connections to external hosts. The supervisor process on a healthy Splunk instance does not initiate connections outside the organization's network. Any outbound Python connection from the Splunk process hierarchy to an external IP is a strong indicator of an established reverse shell.
In EDR telemetry, hunt for process creation events where the parent is a Splunk service and the child is Python with command-line arguments referencing external IP addresses, base64-encoded payloads, or socket connections.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
How to Patch and Remediate CVE-2026-20253
Patching to a fixed Splunk Enterprise version closes the unauthenticated sidecar endpoint and is the only permanent remediation. Splunk has confirmed that no workaround fully eliminates the risk without breaking functionality. Disabling the PostgreSQL sidecar service removes the attack surface but breaks Edge Processor, OpAmp, and SPL2 data pipelines. Treat the sidecar disable as a temporary measure for environments where immediate patching is blocked.
The fixed versions are Splunk Enterprise 10.0.7, 10.2.4, and 10.4.0. Organizations running the 10.0.x branch should upgrade to 10.0.7 or later. Organizations on 10.2.x should upgrade to 10.2.4 or later. Organizations already running 10.4.0 are not affected. Check the installed version at Settings > About in the Splunk web interface before proceeding.
For organizations that completed this patch before June 21, forensic validation of the Splunk filesystem and Python modules is still recommended. The CISA KEV listing and confirmed exploitation mean that unpatched instances reachable from the network should be considered potentially compromised, not merely at risk. Treat the remediation as incident response, not scheduled maintenance. The steps below should be completed in order.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why Splunk CVE-2026-20253 Unauthenticated RCE Is a Priority This Week
Most critical CVEs affect a single application or service. CVE-2026-20253 affects the platform that monitors every application and service in your environment. An attacker who compromises your Splunk Enterprise instance gains read access to your entire security telemetry stream: firewall logs, endpoint alerts, authentication events, and network flows. That visibility lets attackers identify gaps in detection coverage, confirm which of their tools are triggering alerts, and plan lateral movement around your monitoring blind spots.
The Splunk process account on most enterprise deployments carries elevated privileges to read log files across multiple systems. In environments where Splunk connects to Active Directory, cloud platforms, or ticketing systems, the service account credentials stored as Splunk inputs become available to any process running under the Splunk identity after exploitation. This is not a standard server compromise. It is a compromise of your security operations function itself.
The active exploitation timeline makes this urgent. Exploitation was confirmed on day 8 after patching. WatchTowr published weaponizable code on day 2. Every day beyond the June 21 CISA deadline increases the probability that an unpatched instance has already been accessed. The attacker access pattern, persistent Python backdoors surviving service restarts, means that patching an already-compromised instance closes the entry point without evicting the attacker.
Organizations that completed remediation before the June 21 deadline should still validate their Splunk Python modules. Organizations that have not patched must treat this as an active incident response scenario. See our recent coverage of the Windows Netlogon RCE flaw CVE-2026-41089 for parallel context on CISA's response posture when domain-critical infrastructure faces confirmed RCE exploitation.
The bottom line
Splunk CVE-2026-20253 unauthenticated RCE gives attackers CVSS 9.8-rated code execution on the platform watching your entire environment, with no credentials required. CISA confirmed active exploitation on June 18, the federal patch deadline passed on June 21, and over 1,400 internet-exposed instances remain scannable today. The three key takeaways: the PostgreSQL sidecar accepts any credential including empty strings, attackers establish persistent Python backdoors that survive service restarts, and patching a compromised instance does not evict an attacker already present. Upgrade to Splunk Enterprise 10.0.7, 10.2.4, or 10.4.0 before end of day.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is CVE-2026-20253 in Splunk Enterprise?
CVE-2026-20253 is a CVSS 9.8 critical vulnerability in the PostgreSQL sidecar service included with Splunk Enterprise. The sidecar service exposes an HTTP endpoint that performs no authentication, allowing any attacker reachable on the network to invoke file operations using PostgreSQL's lo_export function and write arbitrary content to the server filesystem, which leads to remote code execution. The flaw is classified as CWE-306: Missing Authentication for Critical Function.
Is CVE-2026-20253 being actively exploited?
Yes. Splunk confirmed active in-the-wild exploitation on June 18, 2026, eight days after releasing the patch. CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog the same day and issued a federal mandatory patch deadline of June 21. WatchTowr Labs published working proof-of-concept exploit code on June 12, six days before exploitation was confirmed, providing threat actors a weaponizable attack path from day two after public disclosure.
Which versions of Splunk Enterprise are vulnerable to CVE-2026-20253?
The vulnerable versions are Splunk Enterprise 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. Splunk Enterprise 9.x and earlier are not affected. Splunk Cloud Platform is not affected. The fixed versions are 10.0.7, 10.2.4, and 10.4.0. Check Settings > About in the Splunk web interface to confirm which version your deployment is running.
How do I patch CVE-2026-20253?
Upgrade Splunk Enterprise to version 10.0.7 (for 10.0.x deployments), 10.2.4 (for 10.2.x deployments), or 10.4.0. Download the update from Splunk's official release page and follow the standard Splunk upgrade process. Confirm the version in Settings > About after the upgrade. No configuration change is required in addition to the version upgrade. Patching is the only permanent fix.
Can I mitigate CVE-2026-20253 without patching immediately?
Splunk's official position is that no workaround fully removes the risk without breaking functionality. You can disable the PostgreSQL sidecar service using the CLI command splunk disable sidecar-service, which eliminates the unauthenticated endpoint but disables Edge Processor, OpAmp, and SPL2 data pipelines. Treat this as a temporary control only. You should also ensure the Splunk management interface is not internet-exposed and restrict access to trusted IP ranges.
How do I detect if my Splunk instance was compromised via CVE-2026-20253?
Check Splunk's internal access logs for requests containing hostaddr=, dbname=, port=, or passfile= parameters sent to the web server. Search the filesystem for unexpected files in /opt/splunk/var/run/supervisor/pkg-run/ and modified Python files in /opt/splunk/etc/apps/splunk_secure_gateway/. Look for the file /opt/splunk/share/splunk/search_mrsparkle/exposed/watchTowr.txt, which the WatchTowr PoC creates as proof of write access. Hunt for outbound connections from Python processes under the Splunk process hierarchy.
Does CVE-2026-20253 affect Splunk Cloud?
No. Splunk Cloud Platform is not affected by CVE-2026-20253. The vulnerability is specific to self-hosted Splunk Enterprise deployments running versions in the 10.0.x and 10.2.x branches. If your organization uses Splunk Cloud, no action is required for this specific CVE. Organizations running hybrid deployments with on-premises Splunk Enterprise forwarders or indexers should verify the versions of all on-premises components.
What does CISA say about CVE-2026-20253?
CISA added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog on June 18, 2026, under Binding Operational Directive 26-04. CISA described the vulnerability as 'a frequent attack vector for malicious cyber actors' that 'poses significant risks to the federal enterprise' and mandated that all Federal Civilian Executive Branch agencies remediate by June 21, 2026. CISA's three-day remediation window is among the shortest in the KEV catalog, reflecting the confirmed exploitation and severity of the vulnerability.
Sources & references
- CISA: Known Exploited Vulnerabilities Catalog: CVE-2026-20253
- BleepingComputer: CISA Splunk Enterprise flaw actively exploited, patch by Sunday
- SOCRadar: CVE-2026-20253 CISA Warns of Actively Exploited Splunk Enterprise RCE
- Splunk Security Advisory: SVD-2026-0610
- Help Net Security: Unauthenticated RCE in Splunk Enterprise under active attack
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
