The U.S. Cybersecurity and Infrastructure Security Agency added a Splunk Enterprise vulnerability tracked as CVE-2026-20253 to its Known Exploited Vulnerabilities (KEV) catalog on June 18, 2026. The catalog entry classifies the flaw as a missing-authentication-for-critical-function issue, the category recorded under CWE-306, and assigns a remediation due date of June 21, 2026 — three days after the entry was added.

According to the KEV record, the weakness sits in a path that does not require a user to authenticate before reaching a file-handling function. The catalog states that the flaw allows an unauthenticated user to create or truncate arbitrary files by way of a PostgreSQL sidecar service endpoint that ships alongside the Splunk Enterprise deployment. A sidecar service is a helper process that runs next to the main application; in this case, the record indicates that the endpoint exposed by that helper can be reached without the credential checks that normally gate write access.

"Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint."— CISA KEV, source

CISA's KEV catalog is a list of vulnerabilities the agency states are being exploited in the wild. Inclusion on the list is itself the signal: an entry means CISA has determined that active exploitation is occurring, which is the threshold the agency uses for adding any CVE. The catalog entry for CVE-2026-20253 marks the ransomware field as "Unknown," meaning the agency has not, in this record, tied the vulnerability to a named ransomware campaign. That field describes what the record documents, not a judgment about likelihood.

What the remediation instruction says

The required-action text in the KEV entry directs affected parties to apply mitigations in accordance with vendor instructions and to follow the agency's Binding Operational Directive 26-04, titled "Prioritizing Security Updates Based on Risk." The record also references CISA's "Forensics Triage Requirements" guidance. For cloud services, the entry instructs stakeholders to follow applicable BOD 26-04 guidance, or to discontinue use of the product if mitigations are unavailable. The record states that stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to the BOD 26-04 patching guidelines.

The compressed window between the June 18 listing and the June 21 due date reflects the short timeline carried by this entry. BOD 26-04 is binding on U.S. federal civilian executive-branch agencies; the KEV catalog as a whole is widely consulted by private-sector defenders as a prioritization reference, though the directive's legal obligation applies to the federal agencies it covers. The record points readers to the vendor advisory, published by Splunk as SVD-2026-0603, for the specific mitigation and version detail.

The mechanism the record describes

Missing authentication for critical function, CWE-306, describes a situation in which software performs a sensitive operation without first verifying that the requester is permitted to perform it. The KEV entry pairs that classification with a concrete consequence: the ability to create or truncate arbitrary files. Truncation reduces a file to zero length or a shortened length; creation writes a new file. Both are write-side operations, and the record states they can be triggered without authentication through the named PostgreSQL sidecar endpoint.

The record does not enumerate every affected build or describe an exploitation sequence beyond the summary quoted above; the version-level detail lives in the referenced Splunk advisory, SVD-2026-0603. What the KEV catalog documents is the category of weakness, the affected product (Splunk Enterprise), the date the agency added the entry (June 18, 2026), the due date (June 21, 2026), and the determination that the vulnerability is being exploited — the condition the agency applies before any CVE is listed.

For defenders consulting the catalog, the practical anchor points are the identifiers the record supplies: the CVE number CVE-2026-20253, the CWE-306 classification, the vendor advisory reference, and the BOD 26-04 framework cited in the required-action field. The National Vulnerability Database detail page for CVE-2026-20253 carries the standardized scoring and reference set as those are published. The KEV entry itself remains the authoritative record of the exploitation determination and the federal remediation deadline, and it is the document from which every fact in this report is drawn.

This entry continues a pattern of Splunk components appearing in vulnerability-management workflows because of the platform's role as a data-aggregation and log-analysis layer in many environments. The KEV record does not characterize blast radius or deployment prevalence; it documents the flaw, the product, and the timeline. Readers evaluating exposure are directed by the record to assess internet-facing accessibility of affected assets and to apply the vendor's mitigation in line with the cited directive.

How the catalog entry is structured

Each KEV record carries a fixed set of fields, and reading CVE-2026-20253 against that structure clarifies what is and is not being asserted. The vendor and product fields name Splunk and Enterprise. The vulnerability-name field labels the issue a "Splunk Enterprise Missing Authentication for Critical Function Vulnerability," which restates the CWE-306 classification in the catalog's own phrasing. The date-added field records June 18, 2026, and the due-date field records June 21, 2026. The short-description field carries the single summarizing sentence quoted earlier in this report, and the notes field aggregates the external references: the Splunk advisory SVD-2026-0603, the two BOD 26-04 documents, and the National Vulnerability Database detail page for the CVE.

The known-ransomware-campaign-use field reads "Unknown" for this entry. In the catalog's schema that field indicates the agency has not associated the vulnerability with a documented ransomware campaign in this record. It is a statement about the catalog's current documentation, not a probability estimate. Defenders who track ransomware-linked vulnerabilities separately will note that the field's value can change in later catalog revisions; the value reported here is the one present in the entry as added on June 18.

The required-action field is where the catalog translates the listing into an obligation for covered agencies. For CVE-2026-20253 that field instructs covered parties to apply mitigations in accordance with vendor instructions, to ensure compliance with BOD 26-04 and the agency's "Forensics Triage Requirements," to follow applicable BOD 26-04 guidance for cloud services, or to discontinue use of the product if mitigations are unavailable. The same field states that stakeholders are responsible for evaluating each asset's internet exposure. That instruction places the assessment of which deployments are reachable, and therefore most exposed, on the operators of the affected systems rather than on the catalog, which does not itself enumerate exposed instances.