CVE-2026-20253
Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
In short
An attacker without login credentials can create or delete files on a Splunk server by accessing an unprotected PostgreSQL service. This is critical because it allows unauthorized modification of system files that could crash the system or expose sensitive data.
Technical detail
CWE-306: Missing Authentication Check. An unauthenticated attacker can invoke file creation and truncation operations on the PostgreSQL sidecar service endpoint in affected Splunk Enterprise versions (10.2.x <10.2.4, 10.x <10.0.7) through network access, resulting in arbitrary file manipulation with system-level impact.
Summary generated and translated by AI from the official description.
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
Splunk · Splunk Enterprisepublic PoCs found — 4
githubgithub.com/watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253★ 11githubgithub.com/0xBlackash/CVE-2026-20253★ 2githubgithub.com/HORKimhab/CVE-2026-20253★ 0cve_referencelabs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →