CVE-2026-20253

Name of the Vulnerable Software and Affected Versions Splunk Enterprise versions prior to 10.2.4 Splunk Enterprise versions prior to 10.0.7 Splunk Cloud Platform versions prior to 10.4.2604.3 Splunk Cloud Platform versions prior to 10.2.2510.14

Description An unauthenticated user can create or truncate arbitrary files through a PostgreSQL sidecar service endpoint due to a lack of authentication controls. This issue allows network-reachable attackers to invoke file operations without credentials, which can lead to data destruction, service disruption, privilege escalation, or remote code execution (RCE) by overwriting sensitive files or configurations. The flaw is particularly prevalent in AWS deployments where the sidecar is enabled by default. Technical exploitation involves using the /en-US/splunkd/ raw/v1/postgres/recovery/backup endpoint and the hostaddr parameter to force an external database connection. Attackers can then use the lo export() function to write malicious content to critical files, such as Python scripts like ssg enable modular input.py, which are executed by the Splunk scheduler. There are reports of limited real-world exploitation of this issue.

Recommendations For Splunk Enterprise versions prior to 10.2.4, upgrade to version 10.2.4 or later. For Splunk Enterprise versions prior to 10.0.7, upgrade to version 10.0.7 or later. For Splunk Cloud Platform versions prior to 10.4.2604.3, upgrade to version 10.4.2604.3 or later. For Splunk Cloud Platform versions prior to 10.2.2510.14, upgrade to version 10.2.2510.14 or later. As a temporary workaround, disable the PostgreSQL sidecar service. Restrict network access to Splunk instances using firewall rules to avoid exposing management ports publicly.