A critical vulnerability (CVE-2026-20253) has been identified in Splunk Enterprise that allows unauthenticated attackers to perform arbitrary file operations and achieve remote code execution (RCE). The flaw stems from missing authentication controls in a PostgreSQL sidecar service endpoint.

Exploitation requires no credentials and can be performed remotely if the vulnerable service is exposed. Given the availability of technical details and exploitation methodology, there is a high likelihood of rapid weaponisation and opportunistic exploitation.

Affected Products:

Splunk Enterprise versions:

    • 10.0.0 – 10.0.6 (fixed in 10.0.7)
    • 10.2.0 – 10.2.3 (fixed in 10.2.4)

Not affected:

    • Splunk Enterprise 10.4
    • Splunk Cloud (does not use PostgreSQL sidecars)

Technical Details:

The vulnerability exists due to missing authentication on specific PostgreSQL sidecar endpoints, allowing any network-accessible attacker to:

    • Create arbitrary files
    • Overwrite or truncate files
    • Execute controlled database operations

These weaknesses can be chained into full remote code execution.

Exploitation Mechanism:

Attackers leverage exposed endpoints:

    • /v1/postgres/recovery/backup
    • /v1/postgres/recovery/restore

Attack chain:

    • Connect to an attacker-controlled database.
    • Use the /backup endpoint to dump database contents into an arbitrary file on the Splunk host.
    • Use the /restore endpoint to import the malicious dump.
    • Embed crafted SQL that gets executed during the restore process.

Attackers can define PostgreSQL functions (e.g., using lo_export) to:

    • Write files to the Splunk filesystem
    • Drop malicious payloads
    • Overshadow legitimate scripts

This leads to arbitrary file write capabilities, which can escalate to RCE.

 

RCE Path:

A typical escalation path involves:

Writing a malicious Python script to a frequently executed location, such as:

    • /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py

Triggering execution via normal Splunk operations

This results in persistent execution of attacker-controlled code within the Splunk environment

Recommendations:

    • Patch immediately:

Upgrade to:

    • 10.0.7 or later
    • 10.2.4 or later
    • Restrict network exposure:
    • Block access to PostgreSQL sidecar endpoints from untrusted networks
    • Enforce segmentation

 If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively get in touchto find out how you can protect your organisation.  

 

Contact Us