A critical vulnerability in Splunk Enterprise is being actively exploited just days after its public disclosure, prompting urgent calls for organizations to apply patches immediately. Identified as CVE-2026-20253, the flaw allows unauthenticated attackers to manipulate files through a PostgreSQL sidecar service endpoint due to a lack of authentication controls. This vulnerability impacts Splunk Enterprise versions 10.2 prior to 10.2.4 and 10.0 prior to 10.0.7. Splunk released the necessary patches on June 10 to address this issue. Just two days post-disclosure, cybersecurity researchers at WatchTowr showcased how the vulnerability could be used for remote code execution by an unauthenticated attacker, and they shared technical details alongside proof-of-concept code. Splunk confirmed limited exploitation of the vulnerability on June 18, urging customers to upgrade to the patched versions immediately. The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20253 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch it by June 21. This marks the first time a Splunk flaw has been included in CISA's KEV list. Although specific details about the attacks remain undisclosed, the vulnerability poses a significant risk to many enterprises worldwide.