Splunk has released security updates to address a critical vulnerability in Splunk Enterprise that could allow unauthenticated attackers to perform arbitrary file operations and achieve remote code execution. This flaw, identified as CVE-2026-20253, carries a CVSS score of 9.8, indicating its severity.
The vulnerability affects Splunk Enterprise versions prior to 10.2.4 and 10.0.7. It resides in the PostgreSQL sidecar service endpoint, which lacks proper authentication controls. This oversight enables any network-accessible user to invoke file operations without requiring credentials. Specifically, an unauthenticated user could create or truncate arbitrary files through this endpoint.
To mitigate this issue, Splunk has provided patches in the following versions:
- Splunk Enterprise 10.0.0 to 10.0.6: Fixed in 10.0.7
- Splunk Enterprise 10.2.0 to 10.2.3: Fixed in 10.2.4
- Splunk Enterprise 10.4: Not affected
Notably, Splunk Cloud is not impacted by this vulnerability, as it does not utilize PostgreSQL sidecars.
Further technical analysis reveals that the flaw can be exploited through the “/v1/postgres/recovery/backup” and “/v1/postgres/recovery/restore” endpoints. An attacker could connect to a database under their control and use the backup endpoint to dump its contents into an arbitrary file on the target system. Subsequently, by leveraging the restore endpoint with a specially crafted “passfile” argument, the attacker can load this dump into the local PostgreSQL instance. This process allows the execution of SQL queries defined in the dump, potentially leading to remote code execution.
For instance, an attacker could define a new function that uses the PostgreSQL function “lo_export” to write controlled content to a file on the system. By executing this function during the restoration process, the attacker gains the ability to write arbitrary files. This capability can be escalated to remote code execution by overwriting a Python script that Splunk frequently executes, such as “/opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py,” inserting malicious code that will run with the next execution of the script.
While there is currently no evidence of this vulnerability being exploited in the wild, the detailed exploit information now available could prompt threat actors to develop and deploy attacks targeting unpatched systems. Organizations using affected versions of Splunk Enterprise are strongly advised to apply the provided patches immediately to mitigate potential risks.
This incident underscores the critical importance of timely patch management and the need for robust authentication controls in software components. As attackers continually seek out and exploit such vulnerabilities, organizations must remain vigilant, ensuring that all systems are updated promptly and that security best practices are consistently followed to protect against potential breaches.
