Splunk Enterprise CVE-2026-20253: KEV Arbitrary File Creation via PostgreSQL Sidecar

Suspected
Discovered Jun 18, 2026

CISA added Splunk Enterprise CVE-2026-20253 to KEV on 2026-06-18. The vulnerability allows an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint in affected Splunk Enterprise releases.

0
Affected Packages
2
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
hXXps://advisory[.]splunk[.]com/advisories/SVD-2026-0603
hXXps://www[.]cisa[.]gov/sites/default/files/feeds/known_exploited_vulnerabilities[.]json

Analysis

Executive Summary

CISA added CVE-2026-20253 to the Known Exploited Vulnerabilities catalog on 2026-06-18, marking it as actively exploited and requiring vendor mitigations under BOD 26-04 [1]. The affected product is Splunk Enterprise. Splunk's advisory says an unauthenticated user can create or truncate arbitrary files through a PostgreSQL sidecar service endpoint in Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7 [2]. NVD corroborates the same ranges, maps the issue to CWE-306, and repeats the vendor mitigation to disable the PostgreSQL sidecar service if upgrading is not immediately possible [3].

This is a new Halting Problems post rather than a duplicate: no existing site post matched the CVE, advisory ID, or Splunk sidecar endpoint selector. The operational priority is filesystem integrity. A successful write primitive on a Splunk host can tamper with configuration, truncate logs, suppress alerts, or damage local files that store secrets or automation state.

Key Facts

CVE: CVE-2026-20253

Vendor: Splunk

Product: Splunk Enterprise

Advisory ID: SVD-2026-0603

Vulnerability Class: Missing authentication for critical function / arbitrary file creation and truncation

CWE: CWE-306

Severity: 9.8 Critical

Affected Versions:

  • 10.2 below 10.2.4
  • 10 below 10.0.7

Fixed Versions:

  • 10.2.4
  • 10.0.7
  • 10.4.0

KEV Added: 2026-06-18

KEV Due Date: 2026-06-21

Mitigation if upgrade is delayed: disable the PostgreSQL sidecar service in $SPLUNK_HOME/etc/system/local/server.conf with [postgres] disabled = true and restart Splunk Enterprise [2]

Highest Value Evidence:

  • $SPLUNK_HOME/etc/system/local/server.conf
  • Splunk Enterprise version output
  • Splunk audit and access logs
  • Filesystem timestamp diffs under Splunk-managed paths

Evidence Assessment

Analysis table
ClaimStatusEvidence
CISA added CVE-2026-20253 to KEV on 2026-06-18 and names Splunk Enterprise as the affected product.confirmedThe live KEV JSON entry records cveID CVE-2026-20253, vendorProject Splunk, product Enterprise, and dateAdded 2026-06-18 [1].
Splunk says an unauthenticated user can create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.confirmedThe advisory title and description state exactly that, and the product-status table identifies the affected build ranges [2].
Splunk Enterprise 10.2 below 10.2.4 and 10 below 10.0.7 are affected; 9.4 and earlier are not affected.confirmedThe advisory solution and product-status sections list those ranges, and NVD mirrors the same version boundaries [2][3].
Splunk recommends upgrading or, if that is not immediate, disabling the PostgreSQL sidecar service.confirmedThe mitigation section instructs operators to set [postgres] disabled = true in server.conf and restart the instance [2].
Public sources do not publish campaign names, victim counts, hashes, or source IPs.not observedThe CISA, Splunk, and NVD references used here describe the vulnerability and mitigation path, but none provide those campaign details [1][2][3].

Impact Determination

Analysis table
ClassificationCriteriaWhat to look forAction
Confirmed compromiseAffected host shows unauthorized file creation/truncation, unexpected Splunk config changes, or log tampering around the sidecar endpoint.server.conf diffs, timestamp anomalies, audit logs, Splunk process behavior, and restored file comparisons.Isolate the host, preserve evidence, restore clean files from trusted backups, and rotate any secrets exposed on the host.
Presumed exposedThe instance runs an affected version or version status is unknown, and the PostgreSQL sidecar service remains reachable.splunkd version output, package inventory, and network exposure evidence.Patch immediately or disable the PostgreSQL sidecar service using Splunk's documented workaround.
Potentially exposedSplunk Enterprise is in inventory but exact version or sidecar configuration is not yet verified.CMDB, deployment manifests, or direct host inspection.Inventory the host and verify version plus sidecar status before assuming safety.
Not exposedThe host is on 10.2.4 or later, 10.0.7 or later, or the sidecar service is disabled and validated.Version proof, negative exposure evidence, and configuration review.Preserve closure evidence and keep monitoring for tampering attempts.
UnknownNo version evidence or filesystem telemetry is available.Evidence gap log.Assume exposure until you can prove otherwise.

Technical Analysis

The vulnerable boundary is not a typical authenticated admin endpoint; it is a network-reachable service component that Splunk's advisory says lacked authentication controls in affected releases [2]. That matters because file creation and file truncation are enough to damage a host even without direct code execution.

Practical abuse paths include:

  • Filesystem integrity loss: overwrite or truncate Splunk configuration, search artifacts, deployment state, or logging data. [2][3]
  • Credential exposure: if secrets, tokens, or key material live in readable files on the same host, a file-write primitive can destroy integrity controls or prepare follow-on access by modifying scripts and configs that reference those secrets. [2][3]
  • Persistence or tampering: if the process can write into application directories, an attacker may be able to alter startup behavior, suppress detection, or stage a later payload using legitimate Splunk-managed paths. [2][3]

The evidence does not justify claiming specific malware, source IPs, or a particular campaign. It does justify treating affected internet-facing Splunk hosts as high-priority integrity targets because a file-write bug in a management plane can be used to break monitoring, alter configuration, and complicate incident response. [1][2][3]

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Timeline

  • 2026-06-10: Splunk publishes advisory SVD-2026-0603 and the initial disclosure for CVE-2026-20253 [2].
  • 2026-06-15: Splunk updates the advisory to add the PostgreSQL disablement workaround [2].
  • 2026-06-18: CISA adds CVE-2026-20253 to KEV and sets the due date to 2026-06-21 [1].

Indicators of Compromise

The following indicators of compromise (IOCs) can be used to scope exposure across local repositories, systems, and telemetry exports:

Urls

  • hxxps://advisory[.]splunk[.]com/advisories/SVD-2026-0603
  • hxxps://www[.]cisa[.]gov/sites/default/files/feeds/known_exploited_vulnerabilities[.]json

Remediation and Closure

  1. Upgrade Splunk Enterprise to 10.2.4, 10.0.7, or 10.4.0 or later [2].
  2. If you cannot upgrade immediately, disable the PostgreSQL sidecar service as Splunk documents and restart the instance [2].
  3. Verify that Splunk-managed files under $SPLUNK_HOME/etc/system/local/ and adjacent app directories have not been truncated or replaced.
  4. Preserve file hashes, timestamps, and relevant logs before restoring any affected configuration.
  5. Keep the incident open until version proof, mitigation proof, and a negative integrity review are all complete.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 18, 2026First seenFirst seen recorded for Splunk Enterprise CVE-2026-20253: KEV Arbitrary File Creation via PostgreSQL Sidecar.advisory.splunk.com
Jun 18, 2026DiscoveryDiscovery recorded for Splunk Enterprise CVE-2026-20253: KEV Arbitrary File Creation via PostgreSQL Sidecar.advisory.splunk.com
Jun 18, 2026DisclosureDisclosure recorded for Splunk Enterprise CVE-2026-20253: KEV Arbitrary File Creation via PostgreSQL Sidecar.advisory.splunk.com
Jun 18, 2026Splunk Enterprise CVE-2026-20253: KEV Arbitrary File Creation via PostgreSQL SidecarUnknownadvisory.splunk.com

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

2 IOCs
urlhttps://advisory.splunk.com/advisories/SVD-2026-0603
urlhttps://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Splunk Enterprise CVE-2026-20253: KEV Arbitrary File Creation via PostgreSQL Sidecar?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabadvisory.splunk.com

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Splunk Enterprise CVE-2026-20253: KEV Arbitrary File Creation via PostgreSQL Sidecar?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
"""Audit Splunk Enterprise CVE-2026-20253 exposure and abuse evidence.

The script scans a repository tree and optional telemetry export tree for
incident-specific selectors drawn from the CISA KEV entry, the Splunk advisory,
and NVD. It reports whether the tree contains version strings, file-path hints,
or mitigation evidence tied to the PostgreSQL sidecar service.
"""

import json
import os
import sys
from pathlib import Path
from typing import Iterable

CVE_ID = "CVE-2026-20253"
ADVISORY_ID = "SVD-2026-0603"
CISA_FEED_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
SPLUNK_ADVISORY_URL = "https://advisory.splunk.com/advisories/SVD-2026-0603"
NVD_URL = "https://nvd.nist.gov/vuln/detail/CVE-2026-20253"
URLS = ["https://advisory.splunk.com/advisories/SVD-2026-0603","https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"]

# Collect unique indicators
indicators = set()
for group in [URLS]:
    for val in group:
        if val:
            indicators.add(val)

AFFECTED_VERSION_STRINGS = [
    "10.2 versions below 10.2.4",
    "10 versions below 10.0.7",
    "10.2.0 to 10.2.3",
    "10.0.0 to 10.0.6",
    "10.2.3",
    "10.0.6",
    "10.2.4",
    "10.0.7",
]
MITIGATION_STRINGS = [
    "[postgres]",
    "disabled = true",
    "$SPLUNK_HOME/etc/system/local/server.conf",
    "disable the PostgreSQL sidecar service",
    "Sidecar Configuration Settings",
    "Postgresql Configuration",
]
CONTEXT_STRINGS = [
    CVE_ID,
    ADVISORY_ID,
    "Splunk Enterprise",
    "PostgreSQL sidecar service endpoint",
    "create or truncate arbitrary files",
]
INDICATORS = sorted({
    *AFFECTED_VERSION_STRINGS,
    *MITIGATION_STRINGS,
    *CONTEXT_STRINGS,
    *DOMAINS,
    *PROCESS_PATTERNS,
    CISA_FEED_URL,
    SPLUNK_ADVISORY_URL,
    NVD_URL,
})
EXCLUDED_DIR_NAMES = {".git", "node_modules", "vendor", "dist", "__pycache__", ".venv"}
TEXT_SUFFIXES = {".conf", ".txt", ".log", ".md", ".json", ".yaml", ".yml", ".py", ".ini", ".cfg", ".xml", ".toml"}


def _scan_tree(root: Path) -> list[dict[str, object]]:
    matches: list[dict[str, object]] = []
    if not root.exists():
        return matches

    for path in root.rglob("*"):
        if path.is_dir():
            continue
        if any(part in EXCLUDED_DIR_NAMES for part in path.parts):
            continue
        if path.suffix and path.suffix not in TEXT_SUFFIXES and path.name not in {"server.conf"}:
            # Keep the scan focused on text-like files, but still allow key config names.
            continue
        try:
            content = path.read_text(errors="ignore")
        except Exception:
            continue
        hits = [indicator for indicator in INDICATORS if indicator.lower() in content.lower()]
        if hits:
            matches.append({
                "path": str(path),
                "hits": sorted(set(hits)),
            })
    return matches


def _ensure_out_dir(out_dir: Path) -> None:
    out_dir.mkdir(parents=True, exist_ok=True)


def _write_lines(path: Path, lines: Iterable[str]) -> None:
    path.write_text("\n".join(lines) + "\n", encoding="utf-8")


def main() -> int:
    root = Path(sys.argv[1]) if len(sys.argv) > 1 else Path(".")
    log_root_env = os.environ.get("LOG_ROOT", "").strip()
    log_root = Path(log_root_env) if log_root_env else None
    out_dir = Path(os.environ.get("OUT", "hp-splunk-enterprise-cve-2026-20253-kev-scope"))
    _ensure_out_dir(out_dir)

    selectors_file = out_dir / "selectors.txt"
    _write_lines(selectors_file, INDICATORS)

    repo_matches = _scan_tree(root)
    log_matches = _scan_tree(log_root) if log_root else []

    report = {
        "cve_id": CVE_ID,
        "advisory_id": ADVISORY_ID,
        "root": str(root),
        "log_root": str(log_root) if log_root else "",
        "indicator_count": len(INDICATORS),
        "repository_matches": repo_matches,
        "telemetry_matches": log_matches,
        "exposure_signals": {
            "affected_version_seen": any(
                any(version.lower() in hit.lower() for hit in entry["hits"])  # type: ignore[index]
                for entry in repo_matches
                for version in AFFECTED_VERSION_STRINGS
            ),
            "mitigation_seen": any(
                any(mitig.lower() in hit.lower() for hit in entry["hits"])  # type: ignore[index]
                for entry in repo_matches
                for mitig in MITIGATION_STRINGS
            ),
        },
    }

    report_path = out_dir / "audit-report.json"
    report_path.write_text(json.dumps(report, indent=2, sort_keys=True) + "\n", encoding="utf-8")

    summary = [
        f"[+] selectors written: {selectors_file}",
        f"[+] repository matches: {len(repo_matches)}",
        f"[+] telemetry matches: {len(log_matches)}",
        f"[+] report written: {report_path}",
    ]
    print("\n".join(summary))
    return 0


if __name__ == "__main__":
    raise SystemExit(main())

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
advisory.splunk.comSecurity Researcher95%1CISA added Splunk Enterprise CVE-2026-20253 to KEV on 2026-06-18. The vulnerability allows an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint in affected Splunk Enterprise releases.
nvd.nist.govSecurity Researcher95%1CISA added Splunk Enterprise CVE-2026-20253 to KEV on 2026-06-18. The vulnerability allows an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint in affected Splunk Enterprise releases.
cisa.govSecurity Researcher95%1CISA added Splunk Enterprise CVE-2026-20253 to KEV on 2026-06-18. The vulnerability allows an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint in affected Splunk Enterprise releases.