CVE-2026-20251
Actively exploited. CVE-2026-20251 is listed in the CISA Known Exploited Vulnerabilities catalog — exploitation has been observed in the wild, and US federal agencies are required to remediate it under BOD 22-01. Treat patching as urgent.
Splunk has fixed multiple vulnerabilities in Splunk Enterprise and Splunk Cloud Platform. The vulnerabilities affect various components of Splunk Enterprise and Splunk Cloud Platform. Splunk has assessed the vulnerability with CVE-2026-20253 in the PostgreSQL sidecar service endpoint as critical, allowing unauthenticated users to create or delete arbitrary files due to the lack of authentication controls. Another vulnerability with CVE-2026-20251 concerns Remote Code Execution (RCE) via unsafe deserialization of KV Store data with the 'jsonpickle' Python library, allowing low-privileged users without admin or power roles to execute code remotely. Furthermore, multiple vulnerabilities have been identified that allow sensitive data to be exfiltrated via SSRF, CSS injection, and XSS attacks. Due to insufficient validation of URLs, domains, and user input, attackers can bypass security controls, access internal systems, and exfiltrate data. Update: The Splunk Product Security Incident Response Team (PSIRT) reports that limited and targeted exploitation of the vulnerability with CVE-2026-20253 has been observed. The vulnerability allows a malicious actor to create or delete files, disrupting the operation of the system. As far as known, code execution is not possible.
CSIRTS triage
- What
- Multiple vulnerabilities allow unauthenticated access and remote code execution.
- Who is affected
- Users of Splunk Enterprise and Splunk Cloud Platform.
- Urgency
- Remediation is urgent due to the critical nature of the vulnerabilities and active exploitation.
- Action
- Apply the latest security updates from Splunk.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch CVE-2026-20251
Get an email if CVE-2026-20251 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Exploitation confirmedAlready exploited in the wild (CISA KEV) — the prediction phase is over. Patch now. Riskier than 43% of all EPSS-scored CVEs.
Advisory coverage (1)
- unknownexploitedNCSC-2026-0198 [1.01] [M/H] Vulnerabilities fixed in Splunk Enterprise and Splunk Cloud Platformncsc-nl · 2026-06-19
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-20251)