INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

U.S. CISA Adds Splunk Flaw to Known Exploited Vulnerabilities

| 2026-06-19 10:34 CRITICAL HIGH
JSON
Executive Summary AI-generated
The US Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical vulnerability in Splunk Enterprise, rated 9.8 on the CVSS scoring system, which could be exploited to conduct unauthenticated file operations and remote code execution. The flaw affects versions prior to 10.2.4 and 10.0 below version 10.2.4 and 10.0 respectively, with earlier versions not impacted. CISA urges agencies to fix the vulnerability by Sunday or risk being targeted by attackers who could exploit it to gain unauthorized access to systems. The incident has been linked to a Splunk Product Security Incident Response Team (PSIRT) awareness of limited exploitation in June 2026.
Technical Mitigations AI-generated
* Disable the PostgreSQL sidecar service on affected systems to prevent unauthorized file operations and remote code execution. * Upgrade to a patched version of Splunk Enterprise, specifically versions 10.2.4 or later, as soon as possible to address the vulnerability. * Implement additional authentication controls on PostgreSQL sidecar services endpoints to ensure that only authorized users can invoke file operations without valid credentials. * Monitor systems for signs of exploitation and take immediate action if a vulnerability is discovered, such as disabling the PostgreSQL sidecar service or patching the affected system.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-20253CVE-2026-20253
Target & Sectors
NORTH_AMERICA NORTH_AMERICA
Incident Timeline
‎Jun 13, 2026
U.S. CISA adds Splunk Enterprise flaw to its Known Exploited Vulnerabilities catalog and urges agencies to fix it by Sunday.
‎2026/06/19
An attacker could exploit the Splunk Enterprise vulnerability to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint by connecting to an attacker-controlled database, dumping its contents using /backup and loading it into the local instance.
organisation Splunk Enterprise
The flaw CVE-2026-20253 is an improper authentication vulnerability in the PostgreSQL sidecar service of Splunk Enterprise that allows unauthenticated remote attackers to create or truncate arbitrary files on affected systems.
 Ravie Lakshmanan  Jun 13, 2026 Vulnerability / Enterprise Software Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution.
organisation CVSS
The vulnerability, tracked as CVE-2026-20253 , is rated 9.8 on the CVSS scoring system.
organisation Vulnerability / Enterprise
 Ravie Lakshmanan  Jun 13, 2026 Vulnerability / Enterprise Software Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution.
infrastructure 10.2
“In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.”
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
infrastructure 10.2.4
“In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.”
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
"In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said in an alert this week.
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
infrastructure 10.0.7
“In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.”
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
"In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said in an alert this week.
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
infrastructure 10.0
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
infrastructure 9.4
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
infrastructure 10.0.0
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
infrastructure 10.0.6
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
infrastructure 10.2.0
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
infrastructure 10.2.3
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
infrastructure 10.4
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
organisation Postgres
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
organisation /backup
The entire sequence of actions is below - Create a database and configure it such that a user can authenticate without a password and grant it sufficient permissions to invoke functions like lo_export Use the /backup endpoint to drop a dump of the remote database onto the Splunk file system Use the /restore endpoint to load the malicious database dump, trigger execution of the malicious function during the restore process, and write an attacker-controlled Python script to the Splunk file system
organisation SQL
The attack chain works as follows - Connect to an attacker-controlled database and dump its contents into an arbitrary file using the /backup endpoint Load the dump of the attacker-controlled database into the local PostgreSQL instance using the /restore endpoint by including a "passfile" argument that specifies the path to a " .pgpass " file ("/opt/splunk/var/packages/data/postgres/.pgpass") containing the password for the "postgres_admin" user SQL queries defined in the database dump will get executed by Splunk's PostgreSQL instance An attacker could weaponize this weakness to define a new function that uses lo_export - a function used to extract a BLOB from the database and save it as a file on the file system - to write attacker-controlled content to a file, following which the function gets executed during the restoration process.
organisation Splunk's PostgreSQL
The attack chain works as follows - Connect to an attacker-controlled database and dump its contents into an arbitrary file using the /backup endpoint Load the dump of the attacker-controlled database into the local PostgreSQL instance using the /restore endpoint by including a "passfile" argument that specifies the path to a " .pgpass " file ("/opt/splunk/var/packages/data/postgres/.pgpass") containing the password for the "postgres_admin" user SQL queries defined in the database dump will get executed by Splunk's PostgreSQL instance An attacker could weaponize this weakness to define a new function that uses lo_export - a function used to extract a BLOB from the database and save it as a file on the file system - to write attacker-controlled content to a file, following which the function gets executed during the restoration process.
‎June 21, 2026
Threat actors used a known exploit of Splunk Enterprise to target U.S. federal agencies, prompting CISA to add the vulnerability to its catalog and urge them to fix it by June 21, 2026.
‎June 2026
Threat actors used a known exploit of Splunk Enterprise to target U.S. CISA agencies by June 2026.
Tactical Metrics
Metrics
infrastructure
‎10.2
Software Version
“In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.”
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
Metrics
infrastructure
‎10.2.4
Software Version
“In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.”
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
"In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said in an alert this week.
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
Metrics
infrastructure
‎10.0.7
Software Version
“In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.”
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
"In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said in an alert this week.
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
Metrics
infrastructure
‎10.0
Software Version
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
Metrics
infrastructure
‎9.4
Software Version
The vulnerability affects Splunk Enterprise 10.2 versions prior to 10.2.4 and 10.0 versions prior to 10.0.7, while versions 9.4 and earlier are not impacted.
Metrics
infrastructure
‎10.0.0
Software Version
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
Metrics
infrastructure
‎10.0.6
Software Version
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
Metrics
infrastructure
‎10.2.0
Software Version
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
Metrics
infrastructure
‎10.2.3
Software Version
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
Metrics
infrastructure
‎10.4
Software Version
" The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product.
Intelligence Sources
The Hacker News 2026-06-13
The Hacker News 2026-06-13
Security Affairs 2026-06-19