Home · Briefs · CTI Daily Brief — 2026-06-14
CVE-2026-20253 — Splunk Enterprise: unauthenticated pre-auth RCE via the PostgreSQL sidecar proxy
From CTI Daily Brief — 2026-06-14 · published 2026-06-14
CVE-2026-20253 (CVSS 9.8, CWE-306 Missing Authentication for Critical Function) is an unauthenticated remote code execution flaw in Splunk Enterprise 10.0.0–10.0.6 and 10.2.0–10.2.3 (Splunk SVD-2026-0603, 2026-06-10). watchTowr Labs, which published the full mechanism on 12 June, reports that Splunk-on-AWS is vulnerable out of the box because the PostgreSQL sidecar is enabled by default (watchTowr Labs, 2026-06-12). This brief's deep dive (§ 5) covers the sidecar-proxy chain, detection and patching in detail; fixed versions are 10.4.0, 10.2.4 and 10.0.7.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-10520 | Ivanti Sentry (MDM gateway) | 10.0 | n/a | Yes (2026-06-11) | Yes — gateways backdoored (Shadowserver) | R10.5.2 / R10.6.2 / R10.7.1 | Security Affairs |
| CVE-2026-10795 | UpdraftPlus WordPress plugin ≤ 1.26.4 | 8.1 | n/a | No | Not confirmed ITW; mechanism public, Wordfence preventive rules | 1.26.5 | WPScan |
| CVE-2026-20253 | Splunk Enterprise 10.0.x / 10.2.x | 9.8 | n/a | No | PoC/analysis public; no ITW reported | 10.4.0 / 10.2.4 / 10.0.7 | Splunk SVD-2026-0603 |
(CVE-2026-10520 is carried as the § 0 Immediate Action and § 4 UPDATE; included here for the gate-clearing exploitation picture. CVEs that did not clear a § 2 inclusion gate this run — CVE-2026-47210 (vm2) and CVE-2026-12183 (BUK TS-G) — are noted in § 7.)