Splunk released patches for a critical vulnerability in Splunk Enterprise that enables unauthenticated attackers to execute arbitrary code on affected systems. The flaw, designated CVE-2026-20253, carries a CVSS severity score of 9.8.
The vulnerability affects Splunk Enterprise versions below 10.2.4 and 10.0.7. An unauthenticated attacker can exploit this flaw to create or truncate arbitrary files on vulnerable servers, a capability that escalates to full remote code execution in many deployment scenarios.
The threat applies directly to any organization running unpatched versions of Splunk Enterprise. Splunk deployments often sit at the network's core, collecting logs from critical infrastructure, cloud systems, and security tools. Compromise at this layer grants attackers visibility into organizational operations and positions them for lateral movement across internal networks.
Organizations must prioritize patching immediately. The 9.8 CVSS score reflects near-maximum severity. The unauthenticated nature of the exploit eliminates any friction that might otherwise slow an attack. An attacker with network access to a Splunk instance requires no credentials, no social engineering, and no prior system compromise to trigger code execution.
Splunk Enterprise administrators should update to version 10.2.4 or later for the current release line, or 10.0.7 for the older branch. Organizations unable to patch immediately should restrict network access to Splunk instances using firewalls or VPNs, limiting exposure to trusted internal networks only.
The fix addresses file operation handling that incorrectly permits unauthenticated requests. Security researchers likely disclosed this privately to Splunk before public release, giving defenders a window to deploy patches before mass exploitation begins. That window closes quickly once vulnerability details become public.
Given Splunk's presence in security operations