CVE-2026-20253 — Splunk Enterprise: unauthenticated arbitrary file creation/truncation via the PostgreSQL sidecar proxy `[SINGLE-SOURCE]`

Disclosed this week and not yet seen exploited, but it belongs in the operationally-critical tier because Splunk is the SIEM/log-analytics backbone in many SOCs — including public-sector ones — and an unauthenticated flaw on your detection platform is a defender's worst-case blind spot. Per Splunk's advisory, CVE-2026-20253 (CVSS 9.8, CWE-306 Missing Authentication for Critical Function) lets an unauthenticated actor create or truncate arbitrary files via the bundled PostgreSQL sidecar proxy in Splunk Enterprise 10.0.0–10.0.6 and 10.2.0–10.2.3 — a primitive that can be chained toward code execution but which the advisory itself scopes as file creation/truncation rather than direct RCE (Splunk SVD-2026-0603; daily 06-14). Patch to the fixed maintenance releases; where the Splunk web/API tier is internet-reachable, restrict it now — a compromised SIEM lets an attacker both pivot and rewrite the evidence.