CISA Known Exploited Vulnerability (KEV): Added to the CISA KEV Catalog on June 18, 2026. Action due Sunday, June 21, 2026. BOD 26-04 3-day patch mandate applies.

CVE: CVE-2026-20253 | CWE: CWE-306 (Missing Authentication for Critical Function) | Vendor: Splunk | Product: Splunk Enterprise | Component: PostgreSQL sidecar service endpoint

What Is the Vulnerability

Splunk Enterprise contains a missing authentication vulnerability in a PostgreSQL sidecar service endpoint. An unauthenticated attacker with network access can create or truncate arbitrary files on the Splunk server without any credentials. The PostgreSQL sidecar is a supporting service that runs alongside Splunk Enterprise deployments — its endpoint is not properly gated behind authentication checks, meaning any network-accessible attacker can interact with it to write or delete files.

Successful exploitation can lead to arbitrary file write (potentially enabling remote code execution by writing to Splunk’s script directories or configuration paths) or file truncation (data destruction by zeroing out indexes, configuration files, or log data). As Splunk is the SIEM of record for many enterprises — ingesting, indexing, and correlating security logs from across the entire infrastructure — a compromised Splunk instance creates a catastrophic security monitoring blind spot. Attackers who gain control of Splunk can suppress alerts, delete evidence of their activities, and operate undetected across the environment. This is one of the highest-impact compromise scenarios in enterprise security architecture.

Versions Affected

• Splunk Enterprise versions prior to the patched release
• Splunk Cloud Platform may also be affected — consult Splunk advisory SVD-2026-0603 for specific version applicability

Exploited?

Status under investigation. CISA has added this vulnerability to the KEV catalog, indicating that active exploitation is either confirmed or expected. The BOD 26-04 3-day deadline reflects the urgency. Given the high-value nature of Splunk as a target — attackers who compromise the SIEM can operate with near-impunity — exploitation activity should be assumed. Organisations with internet-facing Splunk management or sidecar interfaces should treat this as an active threat and patch immediately.

Fix

• Apply the Splunk patch per Splunk Advisory SVD-2026-0603 immediately
• The patch adds proper authentication enforcement to the PostgreSQL sidecar endpoint
• Workaround: If immediate patching is not possible, restrict network access to the PostgreSQL sidecar port to localhost only (127.0.0.1). The sidecar should not be exposed to any network interface other than loopback. Use firewall rules (iptables/nftables) to drop all external traffic to the sidecar port

Recommendations

• Patch by Sunday, June 21. This is a CISA KEV deadline with BOD 26-04 3-day mandate. Federal agencies must demonstrate compliance
• Restrict network access: Ensure Splunk management interfaces and the PostgreSQL sidecar are not accessible from untrusted networks. Place Splunk behind a VPN or restricted management network
• Audit Splunk logs: Review for unauthorised file operations, unexpected sidecar connections, or modifications to Splunk configuration files. Check for tampering with indexes, audit logs, or alert configurations
• Verify SIEM functionality: After patching, confirm that Splunk is ingesting logs, generating alerts, and forwarding to any downstream SIEM/SOAR systems correctly. Attackers may have disabled log forwarding or alert generation during exploitation
• Check for persistence: Look for unauthorised scripts in Splunk’s script directories, modified cron entries, or unexpected child processes spawned by the Splunk service account
• Federal agencies: CISA BOD 26-04 mandates remediation by June 21

References

• Splunk Advisory SVD-2026-0603 (Vendor Advisory)
• CISA Known Exploited Vulnerabilities Catalog Entry (US Government Resource)
• CISA BOD 26-04: Prioritizing Security Updates Based on Risk

This is a CISA Known Exploited Vulnerability (KEV) advisory. Part of the Vulnerability Intelligence series on threat-modeling.com.