CISA has added CVE‑2026-20253 to its Known Exploited Vulnerabilities catalogue. The flaw affects Splunk Enterprise and is named the Splunk Enterprise Missing Authentication for Critical Function Vulnerability. It allows an unauthenticated attacker to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint.
The vulnerability is a missing authentication check in a critical function, exploitable over the network with low complexity. It yields a CVSS v3.1 base score of 9.8, rated CRITICAL, and permits unauthenticated file manipulation that could lead to further compromise. A patch is available from Splunk.
Because the entry is in the KEV catalogue, active exploitation has been confirmed in the wild; no ransomware campaign use has been reported to date. Federal agencies must apply mitigations by the remediation due date of 2026-06-21.
CISA’s required action is to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritising Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. While the directive binds Federal Civilian Executive Branch agencies, all organisations should review their exposure to this flaw.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-20253 and the CISA KEV catalogue.