CVE-2026-20253 Splunk · SPL

Detect CVE-2026-20253: Splunk Enterprise Missing Authentication for Critical Function in Splunk

Detects exploitation attempts targeting CVE-2026-20253, a missing authentication vulnerability (CWE-306) in Splunk Enterprise. This KEV-listed vulnerability allows unauthenticated access to critical Splunk functions. Attackers may leverage this to execute searches, exfiltrate data, or manipulate Splunk configurations without valid credentials.

MITRE ATT&CK

Tactic
Initial Access Persistence Collection

SPL Detection Query

Splunk (SPL)
spl 
index=proxy OR index=web OR index=splunk_audit
(uri_path="/services/search/jobs" OR uri_path="/services/data/inputs" OR uri_path="/services/admin*" OR uri_path="/services/authentication*" OR uri_path="/en-US/splunkd/__raw/services*")
NOT (auth_token=* OR http_user_agent="Splunk*" AND cookie=*)
| eval unauthenticated=if(isnull(username) OR username="-" OR username="", "true", "false")
| where unauthenticated="true"
| eval request_method=upper(method)
| where request_method IN ("POST", "GET", "DELETE", "PUT")
| stats count min(_time) as first_seen max(_time) as last_seen values(uri_path) as paths values(src_ip) as source_ips by dest_ip, dest_port
| where count > 1
| eval first_seen=strftime(first_seen, "%Y-%m-%dT%H:%M:%SZ"), last_seen=strftime(last_seen, "%Y-%m-%dT%H:%M:%SZ")
| sort -count
critical severity medium confidence

Identifies unauthenticated requests to Splunk Enterprise REST API endpoints from proxy or web logs. Aggregates by destination to surface repeated exploitation attempts.

Data Sources

Web/Proxy LogsSplunk Internal Audit LogsNetwork Firewall Logs

Required Sourcetypes

access_combinedsplunk:web:accesspan:trafficcisco:asa

False Positives & Tuning

  • Automated monitoring tools performing unauthenticated health checks against Splunk
  • Misconfigured Splunk forwarders attempting registration without proper tokens
  • Internal vulnerability scanners probing Splunk REST API endpoints
  • Legacy integrations not yet migrated to token-based authentication

Other platforms for CVE-2026-20253

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Splunk Search Job Creation via REST API

    Expected signal: HTTP POST to port 8089 without Authorization header; Splunk web_access.log entry with null/anonymous user; network flow record to TCP/8089

  2. Test 2Unauthenticated Splunk User Enumeration via REST API

    Expected signal: HTTP GET to /services/authentication/users on port 8089 without credentials; response body containing user list if vulnerable

  3. Test 3Unauthenticated Splunk Index Listing and Data Access

    Expected signal: Sequential unauthenticated GET and POST requests to Splunk REST API; multiple different /services/ paths accessed from same source IP within short timeframe

  4. Test 4Unauthenticated Splunk Configuration Modification Attempt

    Expected signal: HTTP POST to /services/data/inputs/ without Authorization header; Splunk audit log entry for configuration change with anonymous user context

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2026-20253 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0009Collection

Related Techniques

T1190Exploit Public-Facing ApplicationT1078.001Default AccountsT1530Data from Cloud StorageT1552Unsecured Credentials

Same Tactic: Initial Access

Popular Detections