CVE-2026-20253

CVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function

Initial Access Persistence Collection Last updated:

Detects exploitation attempts targeting CVE-2026-20253, a missing authentication vulnerability (CWE-306) in Splunk Enterprise. This KEV-listed vulnerability allows unauthenticated access to critical Splunk functions. Attackers may leverage this to execute searches, exfiltrate data, or manipulate Splunk configurations without valid credentials.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
Splunk
Product
Enterprise

Weakness (CWE)

CWE-306

Timeline

Disclosed
June 18, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2026-20253 CVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function?

CVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function (CVE-2026-20253) maps to the Initial Access and Persistence and Collection tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function, covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, Azure Firewall Logs. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Persistence Collection
Microsoft Sentinel / Defender
kusto 
union isfuzzy=true
(
    CommonSecurityLog
    | where DeviceVendor =~ "Splunk"
    | where RequestURL has_any ("/services/search/jobs", "/services/data/inputs", "/services/admin", "/services/authentication", "/en-US/splunkd/__raw/services")
    | where isempty(AdditionalExtensions) or AdditionalExtensions !has "authToken"
    | where RequestMethod in ("POST", "GET", "DELETE")
    | project TimeGenerated, SourceIP, DestinationIP, RequestURL, RequestMethod, DeviceVendor, DeviceProduct, EventOutcome
),
(
    W3CIISLog
    | where csUriStem has_any ("/services/search/jobs", "/services/data/inputs", "/services/admin", "/services/authentication")
    | where isempty(csUsername) or csUsername == "-"
    | where csMethod in ("POST", "GET", "DELETE")
    | project TimeGenerated, cIP, csUriStem, csMethod, scStatus, csUsername
)
| where TimeGenerated > ago(24h)

Detects unauthenticated HTTP requests to sensitive Splunk Enterprise API endpoints that require authentication. Looks for requests lacking authentication tokens/usernames to critical Splunk service paths.

critical severity medium confidence

Data Sources

CommonSecurityLog W3CIISLog Azure Firewall Logs

Required Tables

CommonSecurityLog W3CIISLog

False Positives

  • Health check probes or monitoring agents that hit Splunk endpoints without credentials
  • Internal network scanners performing asset inventory against Splunk ports
  • Splunk forwarder registration traffic that may appear unauthenticated in some log parsers
  • Load balancer or reverse proxy health checks targeting Splunk REST API paths

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function (CVE-2026-20253) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: network_connection
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-20253 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-20253

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Splunk Search Job Creation via REST API

    Expected signal: HTTP POST to port 8089 without Authorization header; Splunk web_access.log entry with null/anonymous user; network flow record to TCP/8089

  2. Test 2Unauthenticated Splunk User Enumeration via REST API

    Expected signal: HTTP GET to /services/authentication/users on port 8089 without credentials; response body containing user list if vulnerable

  3. Test 3Unauthenticated Splunk Index Listing and Data Access

    Expected signal: Sequential unauthenticated GET and POST requests to Splunk REST API; multiple different /services/ paths accessed from same source IP within short timeframe

  4. Test 4Unauthenticated Splunk Configuration Modification Attempt

    Expected signal: HTTP POST to /services/data/inputs/ without Authorization header; Splunk audit log entry for configuration change with anonymous user context

Unlock Pro Content

Get the full detection package for CVE-2026-20253 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1078.001Default AccountsT1530Data from Cloud StorageT1552Unsecured Credentials

Same Tactic: Initial Access

Popular Detections