NCSC-2026-0198 [1.01] [M/H] Vulnerabilities fixed in Splunk Enterprise and Splunk Cloud Platform
Actively exploited. At least one CVE in this advisory is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild. Treat remediation as urgent.
Splunk has fixed multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. The vulnerabilities affect various components of Splunk Enterprise and Splunk Cloud Platform. Splunk has assessed the vulnerability with CVE-2026-20253 in the PostgreSQL sidecar service endpoint as critical, allowing unauthenticated users to create or delete arbitrary files due to the lack of authentication controls. Another vulnerability with CVE-2026-20251 concerns Remote Code Execution (RCE) via unsafe deserialization of KV Store data with the 'jsonpickle' Python library, allowing low-privileged users without admin or power roles to execute code remotely. Furthermore, multiple vulnerabilities have been identified that allow sensitive data to be exfiltrated via SSRF, CSS injection, and XSS attacks. Due to insufficient validation of URLs, domains, and user input, attackers can bypass security controls, access internal systems, and exfiltrate data. Update: The Splunk Product Security Incident Response Team (PSIRT) reports that limited and targeted exploitation of the vulnerability with CVE-2026-20253 has been observed. The vulnerability allows a malicious actor to create or delete files, disrupting the operation of the system. As far as known, code execution is not possible.
CSIRTS triage
- What
- Multiple vulnerabilities allow unauthenticated access and remote code execution.
- Who is affected
- Users of Splunk Enterprise and Splunk Cloud Platform.
- Urgency
- Remediation is urgent due to the critical nature of the vulnerabilities and active exploitation.
- Action
- Apply the latest security updates from Splunk.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch Splunk Enterprise and Splunk Cloud Platform
Get an email when a new Splunk Enterprise and Splunk Cloud Platform advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://advisories.ncsc.nl/advisory?id=NCSC-2026-0198
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Exploitation confirmedCVE-2026-20253Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 100% of all scored CVEs.
- Exploitation confirmedCVE-2026-20251Already exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 43% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-20253 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-20251 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- unknownexploitedSplunk security advisory (AV26-586) – Update 1cccs
- criticalexploitedCVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function Vulnerabilitycisa-kev
Recent advisories for Splunk Enterprise and
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- high[UPDATE] [high] Splunk Splunk Enterprise: Multiple vulnerabilitiescert-bund · 2026-07-10
- high[UPDATE] [high] Splunk Splunk Enterprise: Multiple vulnerabilitiescert-bund · 2026-07-03
- medium[UPDATE] [medium] Splunk Splunk Enterprise: Multiple vulnerabilities in third-party componentscert-bund · 2026-07-02
- criticalexploitedCVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function Vulnerabilitycisa-kev · 2026-06-18
More from NCSC-NL Advisories
- unknownNCSC-2026-0223 [1.00] [M/H] Vulnerabilities fixed in BeyondTrust Remote Support and Privileged Remote Access2026-07-10
- unknownNCSC-2026-0222 [1.00] [M/H] Vulnerabilities fixed in GitLab Enterprise Edition and Community Edition2026-07-10
- unknownNCSC-2026-0221 [1.00] [M/H] Vulnerabilities fixed in UniFi products from Ubiquiti Networks2026-07-07
- unknownNCSC-2026-0220 [1.00] [M/H] Vulnerabilities fixed in Rancher by Rancher Labs2026-07-03
- unknownNCSC-2026-0219 [1.00] [M/H] Vulnerabilities fixed in GitHub Enterprise Server2026-07-03