GitHub PoC

• HORKimhab/CVE-2026-20253 • ⭐ 0 • 2026-06-14 • Conf: 95.0%
• CVE-2026-20253 - Splunk Enterprise

FIRST EPSS

EPSS estimates the probability of exploitation in the next 30 days. Higher values indicate higher likelihood of real-world exploitation.

MITRE

CVSS

• Score: 9.8
• Severity: CRITICAL
• Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC

• Exploitation: active
• Automatable: yes
• Technical Impact: total

References

• https://advisory.splunk.com/advisories/SVD-2026-0603

Show Raw Data

Key	Remaining Key	Value
dataType		CVE_RECORD
dataVersion		5.2
cveMetadata >	cveId	CVE-2026-20253
cveMetadata >	assignerOrgId	d1c1063e-7a18-46af-9102-31f8928bc633
cveMetadata >	state	PUBLISHED
cveMetadata >	assignerShortName	cisco
cveMetadata >	dateReserved	2025-10-08T11:59:15.401Z
cveMetadata >	datePublished	2026-06-10T17:16:21.242Z
cveMetadata >	dateUpdated	2026-06-18T16:56:00.789Z
containers >	cna > affected > 0 > product	Splunk Enterprise
containers >	cna > affected > 0 > vendor	Splunk
containers >	cna > affected > 0 > versions > 0 > version	10.2
containers >	cna > affected > 0 > versions > 0 > status	affected
containers >	cna > affected > 0 > versions > 0 > versionType	custom
containers >	cna > affected > 0 > versions > 0 > lessThan	10.2.4
containers >	cna > affected > 0 > versions > 1 > version	10.0
containers >	cna > affected > 0 > versions > 1 > status	affected
containers >	cna > affected > 0 > versions > 1 > versionType	custom
containers >	cna > affected > 0 > versions > 1 > lessThan	10.0.7
containers >	cna > descriptions > 0 > lang	en
containers >	cna > descriptions > 0 > supportingMedia > 0 > base64	False
containers >	cna > descriptions > 0 > supportingMedia > 0 > type	text/html
containers >	cna > descriptions > 0 > supportingMedia > 0 > value	In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
containers >	cna > descriptions > 0 > value	In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
containers >	cna > references > 0 > url	https://advisory.splunk.com/advisories/SVD-2026-0603
containers >	cna > title	Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
containers >	cna > datePublic	2026-06-10T00:00:00.000Z
containers >	cna > metrics > 0 > cvssV3_1 > vectorString	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
containers >	cna > metrics > 0 > cvssV3_1 > version	3.1
containers >	cna > metrics > 0 > cvssV3_1 > baseScore	9.8
containers >	cna > metrics > 0 > cvssV3_1 > baseSeverity	CRITICAL
containers >	cna > metrics > 0 > format	CVSS
containers >	cna > metrics > 0 > scenarios > 0 > lang	en
containers >	cna > metrics > 0 > scenarios > 0 > value	GENERAL
containers >	cna > problemTypes > 0 > descriptions > 0 > lang	en
containers >	cna > problemTypes > 0 > descriptions > 0 > type	cwe
containers >	cna > problemTypes > 0 > descriptions > 0 > description	The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
containers >	cna > problemTypes > 0 > descriptions > 0 > cweId	CWE-306
containers >	cna > source > advisory	SVD-2026-0603
containers >	cna > credits > 0 > lang	en
containers >	cna > credits > 0 > value	Alex Hordijk (hordalex)
containers >	cna > providerMetadata > orgId	d1c1063e-7a18-46af-9102-31f8928bc633
containers >	cna > providerMetadata > shortName	cisco
containers >	cna > providerMetadata > dateUpdated	2026-06-15T20:33:56.243Z
containers >	adp > 0 > references > 0 > url	https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/
containers >	adp > 0 > references > 0 > tags > 0	exploit
containers >	adp > 0 > references > 1 > url	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20253
containers >	adp > 0 > references > 1 > tags > 0	government-resource
containers >	adp > 0 > metrics > 0 > other > type	ssvc
containers >	adp > 0 > metrics > 0 > other > content > timestamp	2026-06-18T16:55:05.297800Z
containers >	adp > 0 > metrics > 0 > other > content > id	CVE-2026-20253
containers >	adp > 0 > metrics > 0 > other > content > options > 0 > Exploitation	active
containers >	adp > 0 > metrics > 0 > other > content > options > 1 > Automatable	yes
containers >	adp > 0 > metrics > 0 > other > content > options > 2 > Technical Impact	total
containers >	adp > 0 > metrics > 0 > other > content > role	CISA Coordinator
containers >	adp > 0 > metrics > 0 > other > content > version	2.0.3
containers >	adp > 0 > title	CISA ADP Vulnrichment
containers >	adp > 0 > providerMetadata > orgId	134c704f-9b21-4f2e-91b3-4a467353bcc0
containers >	adp > 0 > providerMetadata > shortName	CISA-ADP
containers >	adp > 0 > providerMetadata > dateUpdated	2026-06-18T16:56:00.789Z