In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
The PostgreSQL sidecar service in Splunk Enterprise exposes a network endpoint that does not require authentication (CWE-306: Missing Authentication for Critical Function). Any user with network access to this endpoint can send requests that trigger file system operations — creating new files or truncating existing ones to zero length. The lack of access controls makes the attack possible without possessing any credentials in the system.
An attacker can create arbitrary files or destroy the contents of existing files on the server, which may lead to system disruption, deletion of critical configuration data, or — in combination with other techniques — remote code execution (RCE).
Update Splunk Enterprise to version 10.2.4 or later (for the 10.2 branch) or to version 10.0.7 or later (for the 10.0 branch). If immediate patching is not possible, the vendor recommends disabling the PostgreSQL sidecar service as a temporary workaround.
Splunk Enterprise in versions 10.2 below 10.2.4 and in versions 10.0 below 10.0.7. Versions 9.4 and earlier are not vulnerable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSplunk
APPSplunk10.0.0 – 10.0.7 (bez)10.2.0 – 10.2.4 (bez)
CISA KEV — detailsi
- Vendori
- Splunk
- Producti
- Enterprise
- Added to KEVi
- June 18, 2026
- Remediation deadline (US Federal)i
- June 21, 2026(overdue)
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.
Related vulnerabilities
Splunk Enterprise deployment servers in versions before 8.1.10.1, 8.2.6.1, and 9.0 let clients deploy forwarde...
Splunk Web in Splunk Enterprise 7.0.x before 7.0.0.1, 6.6.x before 6.6.3.2, 6.5.x before 6.5.6, 6.4.x before 6...
Splunk Web in Splunk Enterprise 5.0.x before 5.0.17, 6.0.x before 6.0.13, 6.1.x before 6.1.12, 6.2.x before 6....
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Exten...
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 1...