Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

Summary

A critical vulnerability (CVE-2026-20253) in Splunk Enterprise allows unauthenticated attackers to execute arbitrary code remotely. The flaw, rated 9.8 CVSS, stems from a lack of authentication controls on a PostgreSQL sidecar service endpoint, enabling attackers to perform file operations and ultimately overwrite critical scripts for RCE. Splunk has released patches for affected versions.

Full text

Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication Ravie LakshmananJun 13, 2026Vulnerability / Enterprise Software Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint," Splunk said in an alert this week. "The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials." The issue has been addressed in the following versions - Splunk Enterprise 10.0.0 to 10.0.6 - Fixed in 10.0.7 Splunk Enterprise 10.2.0 to 10.2.3 - Fixed in 10.2.4 Splunk Enterprise 10.4 - Not affected Splunk, which is part of Cisco, said Splunk Cloud is not impacted by the vulnerability as Postgres sidecars are not used in the product. What the Flaw is All About On Friday, watchTowr Labs released additional technical details of CVE-2026-20253, stating it could be exploited to achieve pre-authenticated remote code execution on susceptible systems through the "/v1/postgres/recovery/backup" and "/v1/postgres/recovery/restore" endpoints. The attack chain works as follows - Connect to an attacker-controlled database and dump its contents into an arbitrary file using the /backup endpoint Load the dump of the attacker-controlled database into the local PostgreSQL instance using the /restore endpoint by including a "passfile" argument that specifies the path to a ".pgpass" file ("/opt/splunk/var/packages/data/postgres/.pgpass") containing the password for the "postgres_admin" user SQL queries defined in the database dump will get executed by Splunk's PostgreSQL instance An attacker could weaponize this weakness to define a new function that uses lo_export - a function used to extract a BLOB from the database and save it as a file on the file system - to write attacker-controlled content to a file, following which the function gets executed during the restoration process. "At this point, we can authenticate, restore attacker-controlled SQL, and interact with the local database," security researchers Piotr Bazydlo and Yordan Ganchev said. "Once we could restore attacker-controlled SQL into the local PostgreSQL instance, we quickly put together a database dump template that gave us a controlled file write." Armed with an arbitrary file write primitive on the Splunk file system, an attacker could escalate further to remote code execution by overwriting a Python script that Splunk frequently executes (e.g., "/opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py") to include the malicious payload. The entire sequence of actions is below - Create a database and configure it such that a user can authenticate without a password and grant it sufficient permissions to invoke functions like lo_export Use the /backup endpoint to drop a dump of the remote database onto the Splunk file system Use the /restore endpoint to load the malicious database dump, trigger execution of the malicious function during the restore process, and write an attacker-controlled Python script to the Splunk file system Although there is no evidence of the flaw being exploited in the wild, the availability of the exploit specifics can be enough to drive threat actors to trigger opportunistic attempts. It's essential that users move quickly to apply the fixes to stay protected. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cisco, cybersecurity, Enterprise Software, PostgreSQL, remote code execution, Splunk, Vulnerability ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]

Indicators of Compromise

• cve — CVE-2026-20253

Entities