Splunk Enterprise flaw is being actively exploited.
CISA warned that CVE-2026-20253, a critical Splunk Enterprise vulnerability, is being exploited in attacks and ordered U.S. federal agencies to patch by Sunday, June 21. The flaw affects Splunk Enterprise 10.2.0–10.2.3 and 10.0.0–10.0.6, allowing unauthenticated remote attackers to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint. WatchTowr published technical details and proof-of-concept exploit code shortly after Splunk released patches. Splunk confirmed limited in-the-wild exploitation and recommended upgrading to fixed releases; disabling the PostgreSQL sidecar service is listed as a mitigation when immediate patching is not possible.