◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-19

Splunk Enterprise Unauthenticated PostgreSQL Sidecar RCE — CISA KEV Added June 18, 2026 (CVE-2026-20253)

VulnerabilityHigh impactGlobalCVE-2026-20253
What happened
Splunk disclosed CVE-2026-20253 on June 10, 2026, affecting Splunk Enterprise versions in the 10.0.x and 10.2.x branches. A PostgreSQL sidecar service endpoint introduced in Splunk 10 entirely lacks authentication controls (CWE-306), allowing any network-reachable unauthenticated attacker to invoke arbitrary file creation or truncation. watchTowr Labs demonstrated this file-write primitive can be chained into full pre-auth remote code execution by abusing PostgreSQL's lo_export function to write and execute malicious scripts. A public PoC was available by June 12. Active exploitation was observed from June 15, and CISA added the CVE to its Known Exploited Vulnerabilities catalog on June 18, 2026, with a federal remediation deadline of June 21. Fixes are available in Splunk Enterprise 10.0.7 and 10.2.4; Splunk Enterprise 10.4 and Splunk Cloud are not affected.
Why it matters
Splunk Enterprise is the dominant SIEM and log-analytics platform, extensively used in AI/ML operations pipelines for telemetry, model-output monitoring, and security observability. Compromise of the Splunk server gives an attacker complete visibility into — and control over — the defender's detection infrastructure, enabling blind-spot creation before further attacks on AI workloads. CISA KEV listing confirms active in-the-wild exploitation with a 3-day federal patch deadline.
Attack vector
Unauthenticated network attacker sends requests to the PostgreSQL sidecar service endpoint, exploiting missing authentication to write attacker-controlled files. Files are then executed via PostgreSQL's lo_export function to achieve remote code execution — no credentials required.
Affected systems
Splunk Enterprise 10.0.x (fixed in 10.0.7) and 10.2.x (fixed in 10.2.4); Splunk Enterprise on AWS has the sidecar enabled by default
Mitigation
Upgrade to Splunk Enterprise 10.0.7 or 10.2.4 immediately. If patching is not immediately possible, restrict network access to the PostgreSQL sidecar service port. Splunk Cloud customers are protected by vendor-managed patching. Advisory: https://advisory.splunk.com/advisories/SVD-2026-0603
Sources
CISA KEV Catalog — CVE-2026-20253Splunk Advisory SVD-2026-0603NetSPI — CVE-2026-20253 Overview and Takeaways (June 15, 2026)Field Effect — Exploited Splunk vulnerability could allow RCE (June 17, 2026)NVD — CVE-2026-20253
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →