CybersecurityVulnerability Management

Splunk Enterprise Flaw Exposes Systems to Unauthenticated Code Execution

Analyst 207||Source: TheHackerNews
Brightly-lit server room with computer servers and equipment, featuring a networked industrial controller on a rack in the…

CVE-2026-20253, a vulnerability in Splunk Enterprise rated 9.8 on the CVSS scale, can permit unauthenticated attackers to create or truncate files and, in some cases, achieve remote code execution.

What CVE-2026-20253 is

Splunk said in an alert that "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint." The vendor described the root cause concisely: "The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials." The issue has been assigned CVE-2026-20253 and carries a CVSS score of 9.8.

How the PostgreSQL sidecar endpoints can be abused

WatchTowr Labs and Splunk’s advisory together map a direct exploitation path that begins with two sidecar endpoints and leads to arbitrary file writes on the Splunk file system. The technical chain, as described in the reporting, proceeds in three primary steps:

  • Use the /v1/postgres/recovery/backup endpoint to connect to an attacker-controlled database and dump its contents into an arbitrary file on the Splunk host.
  • Use the /v1/postgres/recovery/restore endpoint to load that dump into the local PostgreSQL instance, supplying a "passfile" argument that points to the Splunk host's .pgpass file (for example, "/opt/splunk/var/packages/data/postgres/.pgpass") to obtain the postgres_admin password.
  • Execute SQL contained in the restored dump on the local PostgreSQL instance; those SQL statements can define functions that use lo_export to write arbitrary BLOB data to files on disk, producing an arbitrary file-write primitive which attackers can then use to overwrite frequently executed Python scripts and achieve remote code execution.

WatchTowr Labs' published exploit specifics

WatchTowr Labs released the additional technical detail that enables a pre-authenticated remote code execution scenario via the two endpoints. The researchers Piotr Bazydlo and Yordan Ganchev explained the practical steps they used: "At this point, we can authenticate, restore attacker-controlled SQL, and interact with the local database." They described constructing a database dump that, when restored, executed SQL which invoked lo_export to write attacker-controlled content to files, and then overwriting a Python script Splunk frequently executes—citing "/opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py" as an example target for replacement with a malicious payload.

Splunk Enterprise versions affected, fixes, and Splunk Cloud

Splunk has issued updates to address the flaw. The versions and fixes listed in the advisory are:

  • Splunk Enterprise 10.0.0 to 10.0.6 — fixed in 10.0.7
  • Splunk Enterprise 10.2.0 to 10.2.3 — fixed in 10.2.4
  • Splunk Enterprise 10.4 — not affected

Splunk — which the advisory notes is part of Cisco — also stated that Splunk Cloud is not impacted because Postgres sidecars are not used in that product.

What this means for technologists, affected enterprises, and adversaries

  • Technologists and security teams: The vulnerability allows unauthenticated, network-reachable actors to perform file operations and, via a chained restore process, to run SQL that can write files and trigger code execution. Teams running impacted versions need to prioritize applying the 10.0.7 or 10.2.4 updates (or otherwise ensure they are not using affected releases).
  • Affected enterprises and procurement leaders: Buyers and operators should confirm whether deployed Splunk Enterprise instances use the PostgreSQL sidecar service and validate version numbers against the fixed releases. The advisory makes clear that Splunk Cloud customers do not use the implicated sidecars and therefore are not affected.
  • Adversaries and threat actors: The report notes that "Although there is no evidence of the flaw being exploited in the wild, the availability of the exploit specifics can be enough to drive threat actors to trigger opportunistic attempts." The public technical details lower the bar for exploitation on susceptible, network-reachable installations.

There is no public evidence reported that CVE-2026-20253 has been used in attacks so far, but the advisory and WatchTowr Labs' technical disclosure lay out a clear, replicable path from unauthenticated access to arbitrary file writes and potential remote code execution. Splunk's fixes are narrowly targeted to specific minor releases, and the advisory closes with a direct admonition: it is essential that users move quickly to apply the fixes to stay protected.

Original reporting: https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html

Emerging ThreatsRemote Code ExecutionSupply ChainVulnerabilityZero-DayPostgresqlCVE-2026-20253Splunk EnterpriseUnauthenticated Code Execution
Related Intelligence

Continue Reading

Moderator's workspace with laptop and blurred screen in a community gathering place.

Community Forum Moderation Evolves Amid Security Landscape

Join the conversation, but first, a friendly reminder: let's keep it civil and respectful in Bunker Talk, even when politics heat up - no name-calling, no personal attacks, and stick to the facts. By following these simple rules, we're building the best commenting crew on the net.

Analyst 207
MacBook on a desk with a softly lit modern workspace background and coding elements on the screen.

MacOS Update Exposes New Artifact for Tracing Digital Intent

The latest macOS update has introduced a game-changing digital trail: the App.MenuItem stream, which meticulously logs every menu selection you make, complete with exact timestamps. This new artifact reveals a detailed narrative of your interactions with the operating system interface.

Analyst 207
Young adults in casual professional attire seated in a modern conference room with technology equipment.

CyberCorps Bolsters AI Focus as Funding Lags

Meet the game-changing CyberCorps Scholarship Program, which has successfully launched nearly 5,000 cybersecurity pros into federal roles over the past 25 years. By offering full scholarships and stipends, it empowers students to serve the nation in exchange for a commitment to work in federal cybersecurity.

Analyst 207
Rows of computer servers and networking equipment in a brightly-lit server room.

phpBB Fixes Decade-Old Auth Bypass Bug

A major vulnerability in phpBB has been uncovered, allowing attackers to bypass authentication and log in as any user, including administrators, with ease and no special knowledge required. This decade-old bug, exploitable in default configurations, has been patched - but only after researchers took steps to privately disclose the issue to prevent widespread exploitation.

Analyst 207