A maximum-severity vulnerability in Splunk Enterprise has been disclosed and formally added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, demanding immediate action from security operations teams worldwide.
Tracked as CVE-2026-20253, the flaw carries a near-perfect CVSS score of 9.8 and allows a completely unauthenticated, network-reachable attacker to create or truncate arbitrary files via an exposed PostgreSQL sidecar service endpoint.
A pathway that security researchers at watchTowr Labs have since demonstrated leads to full pre-authentication Remote Code Execution (RCE).
CVE-2026-20253 is rooted in CWE-306: Missing Authentication for Critical Function. The PostgreSQL sidecar service, introduced in Splunk Enterprise version 10 and above, exposes internal HTTP API endpoints, notably /v1/postgres/recovery/backup and /v1/postgres/recovery/restore, without any form of credential verification.
Because the main Splunk web application (listening on port 8000) can transparently proxy requests to the local sidecar service running on 127.0.0.1:5435, any attacker who can reach the Splunk web interface can effectively invoke privileged file operations on the underlying host without a single valid credential.
Splunk officially confirmed in advisory SVD-2026-0603 that the vulnerability stems from the sidecar endpoint design that “lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.”
Critically, Splunk Enterprise deployed on AWS is vulnerable out of the box since the PostgreSQL sidecar service is both installed and enabled by default in cloud-hosted environments.
Security researchers at watchTowr Labs chained the initial file creation and truncation primitive into a complete pre-authentication remote code execution exploit, a finding that justifies the 9.8 CVSS score. The attack chain unfolds in several stages:
- Unauthenticated File Truncation: A crafted POST request to
/en-US/splunkd/__raw/v1/postgres/recovery/backupwith anAuthorization: Basic Og==header (blank credentials) creates an empty file at any attacker-specified path using directory traversal in thebackupFileparameter. - PostgreSQL Connection Hijacking: The
databaseparameter passed topg_dumpaccepts full PostgreSQL connection strings. Attackers injecthostaddr=attacker-controlled-host, overriding the hardcoded-h localhostargument and forcing Splunk to connect to an external attacker-controlled database. - Malicious Database Dump Delivery: Splunk’s
.pgpassfile at/opt/splunk/var/packages/data/postgres/.pgpassstores thepostgres_admincredentials in plaintext. Injectingpassfile=into thedatabaseparameter of the/restoreendpoint allows the attacker to authenticate to Splunk’s local PostgreSQL instance. - Arbitrary File Write via SQL
lo_export: A crafted database dump containing a malicious PostgreSQL function usinglo_exportwrites attacker-controlled content to any path as thesplunkOS user during the restore operation. - Full RCE via Python Script Overwrite: Attackers overwrite periodically executed Splunk Python scripts (e.g.,
/opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py) with malicious payloads, achieving operating system-level command execution.
No user interaction and no prior authentication are required at any point in this chain.
Affected Versions
Organizations must audit their Splunk deployments immediately. The following versions are confirmed vulnerable:
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Splunk Enterprise 10.2.x | 10.2.0 – 10.2.3 | 10.2.4 |
| Splunk Enterprise 10.0.x | 10.0.0 – 10.0.6 | 10.0.7 |
| Splunk Enterprise 10.4.x | Not affected | 10.4.0 (safe) |
| Splunk Enterprise 9.4.x | 9.4.0 – 9.4.11 | 9.4.12 |
| Splunk Enterprise 9.3.x | 9.3.0 – 9.3.12 | 9.3.13 |
| Splunk Cloud Platform | Multiple tracks below June 2026 builds | Vendor-patched |
| Splunk Secure Gateway App | Below 3.10.6 / 3.9.20 / 3.8.67 | 3.10.6 / 3.9.20 / 3.8.67 |
Splunk Cloud Platform customers do not need to take action on CVE-2026-20253 specifically, as the sidecar service is not present in Splunk’s managed cloud product.
CISA added CVE-2026-20253 to its KEV catalog on June 18, 2026, with a mandatory remediation deadline of June 21, 2026, an extremely tight 3-day window.
This urgency aligns with CISA’s Binding Operational Directive 26-04, which requires federal agencies to remediate vulnerabilities that affect publicly exposed assets, can be fully automated for exploitation, allow system takeover, and show evidence of real-world risk.
The directive also mandates forensic triage to determine whether affected systems may have already been silently compromised prior to patching.
- Upgrade immediately to Splunk Enterprise 10.2.4, 10.0.7, 9.4.12, or 9.3.13 depending on your deployment branch.
- If patching is not immediately possible, disable the PostgreSQL sidecar service as a temporary mitigation; no other workaround exists for CVE-2026-20253.
- Block network access to
/v1/postgres/recovery/*endpoints at your perimeter firewall and WAF, and ensure Splunk management interfaces are not exposed to the internet. - Hunt for past exploitation by reviewing access logs for anomalous requests to
/en-US/splunkd/__raw/v1/postgres/recovery/paths and checking for unauthorized modifications to Python scripts under/opt/splunk/etc/apps/. - Isolate internet-facing Splunk instances behind a VPN and enforce strict network segmentation around all Splunk management ports immediately.
CVE-2026-20253 was disclosed on June 10, 2026 alongside three additional high-severity flaws in the same Splunk advisory batch.
These include CVE-2026-20251 (CVSS 8.8), an unsafe deserialization flaw in the Splunk Secure Gateway app’s KV Store via the jsonpickle library that enables RCE with only low-privilege access;
CVE-2026-20258 (CVSS 7.1), a stored XSS flaw in classic dashboard HTML panels; and CVE-2026-20252 (CVSS 7.6), a Server-Side Request Forgery (SSRF) vulnerability in Dashboard Studio’s PDF export feature that can be abused by low-privileged users to reach internal network destinations.
The combination of these vulnerabilities represents a critical attack surface for enterprise SOCs and IT monitoring infrastructure globally.
FAQ
Q1. What is CVE-2026-20253?
CVE-2026-20253 is a critical missing authentication vulnerability (CVSS 9.8) in Splunk Enterprise’s PostgreSQL sidecar service that allows unauthenticated attackers to create or truncate arbitrary files and achieve remote code execution.
Q2. Which Splunk versions are affected by CVE-2026-20253?
Splunk Enterprise versions 10.0.0–10.0.6, 10.2.0–10.2.3, 9.3.0–9.3.12, and 9.4.0–9.4.11 are affected; Splunk Cloud Platform is not impacted by this specific CVE.
Q3. What is the fix for CVE-2026-20253?
Upgrade to Splunk Enterprise 10.0.7, 10.2.4, 9.3.13, or 9.4.12; if patching is impossible, disable the PostgreSQL sidecar service — there is no other workaround.
Q4. Why does CISA’s BOD 26-04 set only a 3-day patch deadline for this vulnerability?
BOD 26-04 mandates a 3-day remediation window when a vulnerability affects a publicly exposed asset, can be fully automated for exploitation, and allows full system takeover, all criteria CVE-2026-20253 meets.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
