Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary

The article reports a critical vulnerability in Splunk Enterprise (CVE-2026-20253, CVSS 9.8) that allows an unauthenticated, network-reachable attacker to create or truncate arbitrary files via a PostgreSQL sidecar service endpoint lacking authentication in versions below 10.2.4 and 10.0.7.[1][3] Splunk’s advisory confirms that this flaw can be exploited remotely without credentials, potentially leading to full system compromise, data destruction, or staging of malicious code, and recommends upgrading to fixed versions such as 10.4.0, 10.2.4, or 10.0.7.[1][3][5] From a CyberSE.AI perspective, any AI agents or analytics pipelines that rely on Splunk as a logging, telemetry, or decision backend face elevated SaaS AI risk: successful exploitation could tamper with logs used for model monitoring, hide or fabricate security signals, and indirectly mislead AI-driven detection or response workflows. Organizations should treat Splunk as part of their AI attack surface, rapidly patch affected instances, harden network exposure, and include Splunk configuration, access control, and log integrity checks in their AI Security Readiness Assessment.