Latest Splunk Enterprise vulnerability: CVE-2026-20253 #
Splunk disclosed
that certain versions of the Splunk Enterprise solution
utilize the PostgreSQL Sidecar Service that contains an unauthenticated file upload vulnerability. Remote unauthenticated
attackers can utilize this vulnerability to forge remote database connections and trigger database administrative actions to achieve remote code execution and gain access to the underlying
operating system. This vulnerability has been designated CVE-2026-20253, and has been rated critical with a CVSS score of 9.8.
The following versions are affected:
- Splunk Enterprise:
- Versions 10.0.0 through 10.0.6
- Versions 10.2.0 through 10.2.3
What is Splunk Enterprise? #
Splunk provides ingestion and indexing of machine-generated data, and is commonly used for logging, tracing, SIEM, and other business processes. The PostgreSQL Sidecar Service is a Splunk provided storage integration that provides a PostgreSQL database and API provider for Splunk Enterprise deployments.
What is the impact? #
Successful exploitation of this vulnerability would allow a
remote, unauthenticated attacker to bypass authentication, trigger database backups, trigger database restores containing attacker controlled connection information, and users of the complete system compromise.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Splunk Enterprise 10.0.x: Version 10.0.7 or later.
- Splunk Enterprise 10.2.x: Version 10.2.4 or later.
Splunk has provided a set of workarounds and mitigations in their advisory.
How to find potentially vulnerable systems with runZero #
From the Software inventory, use the following query to locate potentially impacted assets:
vendor:="Splunk" AND (product:="Splunk" OR product:="splunkd") AND
version:>0 AND
((version:>=10.0.0 AND version:<=10.0.6) OR
(version:>=10.2.0 AND version:<=10.2.3))
