Splunk: Critical and High Severity Vulnerabilities Disclosed Together on June 10, 2026

Key findings

• Ten vulnerabilities affecting Splunk Enterprise, Cloud Platform, and SOAR disclosed on June 10, 2026.
• Includes a critical severity flaw (CVE-2026-20253) allowing arbitrary file creation/truncation.
• Multiple high severity vulnerabilities enable unauthorized server-side requests and script storage.
• Several medium severity flaws permit data exfiltration via crafted dashboards.
• Affected versions span Splunk Enterprise, Cloud Platform, SOAR, and Secure Gateway.
• Splunk has released patches; users are urged to update immediately.

On June 10, 2026, a significant batch of ten vulnerabilities was disclosed across Splunk's product ecosystem, impacting Splunk Enterprise, Splunk Cloud Platform, and Splunk SOAR. The disclosures include one critical severity vulnerability and multiple high and medium severity flaws, collectively posing a substantial risk to organizations relying on these security and data analysis platforms. The coordinated disclosure highlights potential avenues for attackers to gain unauthorized access, exfiltrate data, or disrupt operations.

A critical vulnerability, CVE-2026-20253, with a CVSSv3 score of 9.8, allows an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. This flaw affects Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3, 10.2.2510.14. The vulnerability arises from a flaw in the PostgreSQL sidecar service endpoint's handling of requests.

Several high severity vulnerabilities were also detailed. CVE-2026-20251 (CVSSv3 8.8) allows a low-privileged user to execute arbitrary code or commands by sending crafted requests to internal endpoints, impacting Splunk Enterprise, Splunk Cloud Platform, and Splunk Secure Gateway. CVE-2026-20252 (CVSSv3 7.6) enables a low-privileged user to send server-side requests to arbitrary internal destinations, potentially leading to further compromise. Additionally, CVE-2026-20258 (CVSSv3 7.1) permits a low-privileged user to store a malicious script in a classic dashboard HTML panel, which could be executed by administrators.

Multiple medium severity vulnerabilities were disclosed, many of which involve data exfiltration or privilege escalation through classic dashboards. CVE-2026-20254, CVE-2026-20255, CVE-2026-20256, and CVE-2026-20257, all with a CVSSv3 score of 5.7, allow low-privileged users to craft malicious classic dashboards that can exfiltrate sensitive data or redirect users. CVE-2026-20259 (CVSSv3 5.5) allows a user with specific Splunk roles to reassign saved search ownership, potentially leading to unauthorized access or modification of sensitive search data. Finally, CVE-2026-20260 (CVSSv3 4.3) involves the injection of ANSI escape codes into log files, which could be interpreted by terminal emulators when viewed by an administrator, potentially leading to command execution.

These vulnerabilities affect a wide range of Splunk Enterprise and Splunk Cloud Platform versions. Specific affected versions include Splunk Enterprise below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform below various specific build numbers across different versions. Splunk SOAR is affected in versions below 8.5.0, and Splunk Secure Gateway below 3.10.6, 3.9.20, and 3.8.67. Splunk has released patches and updates to address these issues, urging users to upgrade to the latest secure versions as soon as possible.

The coordinated disclosure of these ten vulnerabilities underscores the importance of maintaining up-to-date security configurations and applying patches promptly. The range of severity, from critical file manipulation to data exfiltration and unauthorized access, necessitates immediate attention from all Splunk users. Organizations should prioritize patching the most critical flaws, particularly CVE-2026-20253, and review their security posture to mitigate potential risks.