The CrowdSec Network has detected early exploitation attempts targeting CVE-2026-20253, a critical authentication bypass vulnerability in Splunk Enterprise and Splunk Cloud Platform.
Key findings
- On June 15, 2026, CrowdSec released a detection rule for this vulnerability.
- Exploit attempts were first seen on June 17, 2026, and the exploit phase is currently marked as “Early Exploitation”. Currently, we are tracking 20 malicious IPs exploiting this flaw.
- The CrowdSec API tracker now features indicators of compromise, such as
http_path.
What is Splunk Enterprise
Splunk Enterprise and Splunk Cloud Platform are widely used security and observability data platforms that handle critical and sensitive machine data. They are typically managed by security teams, operations professionals, and IT administrators.
Because Splunk instances store high-value, centralized log data and often provide access across multiple environments, a compromise can result in severe data loss, deep system access, and wide-scale environment infiltration.
How does CVE-2026-20253 work?
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability is tracked as Missing Authentication for Critical Function.
The vulnerability exists because a PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Attackers exploit the Splunk PostgreSQL Sidecar Service by sending POST requests to endpoints matching /splunkd/__raw/v1/postgres/recovery/backup, often providing a Basic Authorization header to attempt unauthorized access or trigger error-based detection artifacts.
Threat Landscape Analysis
CrowdSec has been tracking this vulnerability since our detection rule was released on June 15, 2026. Analysis of our network traffic places this threat firmly in the Early Exploitation phase.
Since the first observed attack on June 17, our global network has flagged 20 unique malicious IP addresses actively attempting to exploit this vulnerability. While this indicates that attacks are not yet widespread, the threat environment is escalating rapidly. Publicly available exploits already exist, making it easily accessible for threat actors to launch automated campaigns.
Furthermore, the severity of the flaw (CVSS 9.8) prompted CISA to quickly add it to its Known Exploited Vulnerabilities (KEV) catalog just a day after the attacks were first observed. Though the initial attack volume remains targeted, the combination of a high-value system like Splunk and the availability of public exploits suggests that large-scale scanning could surge quickly, making immediate remediation critical.
How to protect your systems
Patch: Splunk has released software updates to mitigate this vulnerability. Organizations using affected versions should update to the patched releases immediately.
Preemptive blocking: The CrowdSec Security Engine and its WAF capabilities can detect and block unauthorized requests targeting the vulnerable endpoints. Check out our special 3-minute introduction track at: https://start.crowdsec.net
Stay proactive: For instant monitoring of how this CVE evolves, follow the CrowdSec Live Exploit Tracker for CVE-2026-20253.
Sharing insights and taking swift action can collectively reduce the impact of these threats. This is your call to action for real-time threat intelligence and collaborative cybersecurity.