Splunk has released emergency security patches for a critical flaw (CVE-2026-20253, CVSS 9.8/10) in Splunk Enterprise that allows anyone with network access to run code on the server — no password required. The vulnerability exists because a backend PostgreSQL service exposes unauthenticated API endpoints that can be used to write and execute arbitrary files on the host. An attacker on the same network could completely take over a Splunk server in minutes.
Splunk Enterprise is widely used by businesses to monitor and analyze their security logs. While this vulnerability primarily affects IT and security teams, a compromised Splunk server can expose sensitive data from every system connected to it — including employee records, customer data, and internal communications. No active exploitation has been reported yet, but technical details are now public.
How to check if you’re affected
Affected versions include Splunk Enterprise 10.0.0 through 10.0.6 and Splunk Enterprise 10.2.0 through 10.2.3. If your organization runs Splunk Enterprise, your IT team should update immediately:
- Splunk Enterprise 10.0.x → update to 10.0.7 or later
- Splunk Enterprise 10.2.x → update to 10.2.4 or later
- Splunk Enterprise 10.4.x and Splunk Cloud are not affected