CVE-2026-20253 - Vulnerability Details

- Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

Description

In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.

Published: 2026-06-10

Score: 9.8 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A lack of authentication on the PostgreSQL sidecar service endpoint allows a remote, unauthenticated user to create or truncate any file on the system. This flaw makes it possible for an attacker to write malicious files, overwrite existing binaries, or delete key files without permission. Because no credentials are required, the vulnerability can be exploited by any user who can reach the service over the network, potentially leading to data loss or unauthorized code execution.

Affected Systems

Splunk Cloud Platform versions older than 10.4.2604.3 and 10.2.2510.14, and Splunk Enterprise versions older than 10.2.4 and 10.0.7 are affected. Users running these older builds are at risk until they upgrade to the specified safe releases.

Risk and Exploitability

The CVSS score of 9.8 reflects the high impact and ease of exploitation. No EPSS data is available, but the absence of authentication controls means the attacker does not need any additional credentials or privileges. The vulnerability has not been listed in the CISA KEV catalog, but the severity and lack of authentication make it a critical concern. Attackers with network reach to the sidecar endpoint can immediately exploit this issue to alter or delete files on the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Splunk

Splunk Enterprise

affected

Version	Status	Constraints
`10.2`	affected	< 10.2.4
`10.0`	affected	< 10.0.7

Splunk

Splunk Cloud Platform

affected

Version	Status	Constraints
`10.4.2604`	affected	< 10.4.2604.3
`10.2.2510`	affected	< 10.2.2510.14

No data.

Vendor Product Confidence Versions

Splunk

Splunk Cloud Platform

100%

Version	Status	Scheme	Platform
`[10.4.2604,10.4.2604.3)`	affected	generic	—
`[10.2.2510,10.2.2510.14)`	affected	generic	—

Splunk

Splunk Enterprise

100%

Version	Status	Scheme	Platform
`[10.2,10.2.4)`	affected	generic	—
`[10.0,10.0.7)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Splunk Enterprise update (≥10.2.4 or ≥10.0.7) and Splunk Cloud Platform update (≥10.4.2604.3 or ≥10.2.2510.14) to remove the unauthenticated endpoint.
Restrict network access to the PostgreSQL sidecar service endpoint using firewall rules or VPN restrictions to limit exposure to trusted hosts.
If an update is not yet available, apply any Splunk security advisories that enable authentication on the sidecar endpoint or otherwise enforce access control to the service.

Generated by OpenCVE AI on June 10, 2026 at 19:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://advisory.splunk.com/advisories/SVD-2026-0603

History

Wed, 10 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Splunk Splunk splunk Cloud Platform Splunk splunk Enterprise
Vendors & Products		Splunk Splunk splunk Cloud Platform Splunk splunk Enterprise

Wed, 10 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.<br><br>The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
Title		Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
Weaknesses		CWE-306
References		https://advisory.splunk.com/advisories/SVD-2026-0603
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Splunk Splunk Cloud Platform Splunk Enterprise

MITRE

Status: PUBLISHED

Assigner: cisco

Published: 2026-06-10T17:16:21.242Z

Updated: 2026-06-10T18:22:53.072Z

Reserved: 2025-10-08T11:59:15.401Z

Link: CVE-2026-20253

Vulnrichment

Updated: 2026-06-10T18:22:50.236Z

NVD

Status : Undergoing Analysis

Published: 2026-06-10T18:16:40.760

Modified: 2026-06-10T18:36:19.463

Link: CVE-2026-20253

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T20:30:27Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object