Overview
- Splunk disclosed CVE-2026-20253 and shipped patches on June 10, noting affected releases and fixed versions 10.4.0, 10.2.4 and 10.0.7 or higher.
- Researchers at watchTowr published a technical deep dive and a neutered proof-of-concept on June 12 that showed how an unauthenticated user can achieve remote code execution through the PostgreSQL sidecar.
- Splunk confirmed limited in-the-wild exploitation on June 18 and the U.S. Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog, directing federal agencies to remediate by Sunday, June 21.
- Available defenses include immediate upgrade to a fixed release, temporary disabling of the PostgreSQL sidecar to block the attack surface, and community IOCs and Nuclei templates to hunt for signs of compromise; disabling the sidecar may disrupt Splunk backup and recovery features.
- Compromise of Splunk can blind defenders and expose stored credentials or tamper with security logs, which raises the risk of prolonged intrusions and lateral movement inside affected organizations.