cbcvebase.
CVE-2026-20253
published 2026-06-10

CVE-2026-20253: In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-21
Exploited in the wild
EPSS
88.17%
99.7th percentile
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

Affected

4 ranges
VendorProductVersion rangeFixed in
splunksplunk>= 10.0.0 < 10.0.710.0.7
splunksplunk>= 10.2.0 < 10.2.410.2.4
splunksplunk_enterprise>= 10.0 < 10.0.710.0.7
splunksplunk_enterprise>= 10.2 < 10.2.410.2.4

Detection & IOCsextracted from sources · hover to see the quote

url/v1/postgres/recovery/backup
url/v1/postgres/recovery/restore
path/opt/splunk/var/packages/data/postgres/.pgpass
path/opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py
urlPOST /{{region}}/splunkd/__raw/v1/postgres/recovery/backup HTTP/1.1
otherAuthorization: Basic ZGFnOg==
filename.pgpass
  • Detect unauthenticated POST requests to the PostgreSQL sidecar backup/restore endpoints. The Nuclei template matches HTTP 400 responses containing 'Failed to decode' in the body as a probe indicator.
  • Monitor for requests to /splunkd/__raw/v1/postgres/recovery/backup or /restore without valid authentication headers, particularly from external/untrusted network sources.
  • Alert on creation or modification of .pgpass files under the Splunk data directory, which is a key step in the exploit chain to extract the postgres_admin password.
  • Monitor for unexpected writes to Python scripts under /opt/splunk/etc/apps/, especially ssg_enable_modular_input.py, which is targeted for overwrite to achieve RCE.
  • Hunt for use of PostgreSQL lo_export function in database activity logs, which is leveraged to write attacker-controlled content to the Splunk file system during the restore phase.
  • Use FOFA or similar internet-scanning intelligence to identify exposed Splunk instances: body contains both 'enterprise' and 'splunk'.
  • ·Splunk Cloud Platform is NOT affected by this vulnerability as Postgres sidecars are not used in that product.
  • ·Splunk Enterprise versions 9.4 and earlier are not affected; only versions 10.0.0–10.0.6 and 10.2.0–10.2.3 are vulnerable.
  • ·Disabling the PostgreSQL sidecar service as a mitigation will break Edge Processor, OpAmp, or SPL2 data pipelines on affected instances.
  • ·Splunk Enterprise 10.4 is not affected by this vulnerability.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.