Exploited Splunk vulnerability could allow RCE on exposed systems

Threat summary

Researchers reported exploitation activity starting June 15, 2026, targeting a vulnerability in Splunk Enterprise that provides unauthenticated access and can lead to remote code execution. Splunk disclosed the issue and released patches on June 10, 2026, and researchers published proof-of-concept (PoC) details on June 12, demonstrating how the vulnerability can be extended into full control of the Splunk server.

The vulnerability, tracked as CVE-2026-20253, affects Splunk Enterprise, a platform used to collect, search, and analyze logs and security data across IT environments. It was rated with a CVSS score of 9.8, and is described as an unauthenticated arbitrary file creation and truncation flaw.

The issue exists in the PostgreSQL sidecar service introduced in Splunk Enterprise version 10. This component is not enabled in all deployments. For example, Splunk Enterprise on AWS has it enabled by default, while other installations may have it installed but not active.

The PostgreSQL sidecar service is an internal component that runs alongside the main Splunk application to support features such as configuration management and data processing. It uses PostgreSQL, an open-source database, and operates as a separate process. The service listens on the local system and exposes API endpoints for tasks such as database backup and restore. These endpoints are not directly exposed externally, but they can be accessed indirectly through the Splunk web interface, which forwards requests internally.

In affected versions, the sidecar service lacks authentication controls and accepts requests without validating credentials, which allows adversaries to interact with it if they can reach the Splunk web interface.

The vulnerability affects the following Splunk Enterprise versions with the sidecar service enabled:

• Splunk Enterprise 10.0.0 to 10.0.6 (fixed in 10.0.7)

• Splunk Enterprise 10.2.0 to 10.2.3 (fixed in 10.2.4)

Splunk Enterprise 10.4 is not affected because it includes the fix as part of its base release. Splunk Cloud Platform is not affected because it does not use this component.

The PoC demonstrated that this access can be extended into remote code execution through a sequence of actions. Exploitation requires a vulnerable Splunk Enterprise instance with the PostgreSQL sidecar service enabled and a reachable web interface, which allows access to internal endpoints through request forwarding.

Once reachable, the service accepts arbitrary input without authentication, allowing a threat actor to send crafted HTTP requests to create or overwrite files. This file-write access can then be combined with built‑in PostgreSQL functionality and stored credentials to execute attacker‑controlled code on the system. 

Analysis

The vulnerability could lead to remote code execution under the Splunk service account, which typically has broad access to the host system, including application files, logs, and, in many cases, credentials and integrations. This level of access allows a threat actor to control the Splunk server and use it to access additional systems.

Systems that expose the Splunk web interface to untrusted networks carry higher risk because exploitation does not require credentials. The availability of a PoC and reported exploitation activity increases the likelihood of scanning and opportunistic attacks targeting exposed systems. A compromised system allows code execution, access to or modification of logs, and use of the system as a pivot point into other parts of the environment.

Upgrading Splunk Enterprise to fixed versions released on June 10, 2026 removes the vulnerable endpoint. Limiting access to the Splunk web interface reduces exposure, especially for systems reachable from the internet. Splunk also provides an option to disable the PostgreSQL sidecar service, which removes the vulnerable functionality and affects features that rely on it.

Validation after patching includes reviewing logs for access to PostgreSQL sidecar endpoints, unexpected file creation or modification, and database backup or restore activity. Monitoring for unusual script execution under the Splunk service account and verifying file integrity helps identify whether exploitation occurred before updates were applied.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up