CISA ordered US federal civilian agencies to patch Splunk Enterprise against CVE-2026-20253 by June 21, 2026, after confirming active in-the-wild exploitation. The agency added the flaw, which carries a CVSS score of 9.8, to its Known Exploited Vulnerabilities catalog, creating a binding remediation deadline for federal civilian networks.
The bug lives in the PostgreSQL sidecar service, a database backup component in Splunk Enterprise versions 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6. That service shipped with no authentication controls, allowing any attacker who can reach it to create or truncate arbitrary files, execute code, and take full control of the application environment.
That last point is the problem. Splunk is the SIEM. It’s the platform security teams use to detect attacks in progress. An attacker who owns Splunk can delete logs, suppress alerts, and move laterally while the dashboard shows all-clear. Resecurity confirmed that compromise “can significantly reduce organizational visibility, allowing additional malicious activity to proceed undetected.”
Splunk released patches on June 10: upgrade to 10.4.0, 10.2.4, or 10.0.7. WatchTowr published a technical deep-dive and a neutered proof-of-concept on June 12, enough for defenders to test their own exposure without fully weaponizing the flaw. Organizations that can’t patch immediately can disable the PostgreSQL sidecar service, per Splunk’s June 15 guidance, though some functionality may be affected.
Federal agencies face a hard deadline of June 21. For everyone else, there’s no mandate. Just active exploitation.
James Okafor