Executive Summary
A critical security vulnerability, SVD-2026-0603 (also known as CVE-2026-20253), has been discovered in Splunk Enterprise versions 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3. This flaw enables unauthenticated, remote attackers to create or truncate arbitrary files on the host system by abusing the PostgreSQL Sidecar Service endpoints. The vulnerability is being actively exploited in the wild, with public proof-of-concept code and technical analyses available. It is cataloged in the CISA Known Exploited Vulnerabilities (KEV) list, underscoring its severity and the urgency for remediation. Successful exploitation can result in full remote code execution (RCE) as the Splunk user, potentially leading to complete compromise of affected systems.
Technical Information
The vulnerability arises from missing authentication controls on the PostgreSQL Sidecar Service endpoints within Splunk Enterprise. Specifically, the endpoints /v1/postgres/recovery/backup and /v1/postgres/recovery/restore are exposed without requiring any form of authentication, allowing any network-accessible user to invoke sensitive file operations.
The core technical issue is classified under CWE-306: Missing Authentication for Critical Function. The vulnerability is tracked as CVE-2026-20253 and has been assigned a CVSS v3.1 base score of 9.8 (Critical), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. This reflects the ease of exploitation (no authentication, no user interaction, low complexity) and the high impact on confidentiality, integrity, and availability.
Exploitation Mechanics
Attackers exploit the vulnerability by sending crafted HTTP POST requests to the exposed endpoints. The backupFile parameter in the request body allows the attacker to specify arbitrary file paths. This can be leveraged to create new files, truncate existing files, or, through chaining operations, write attacker-controlled content to files on the host.
A typical attack sequence involves:
- Sending a POST request to /v1/postgres/recovery/backup with a crafted backupFile path, resulting in the creation or truncation of a file at the specified location.
- Chaining this with a POST request to /v1/postgres/recovery/restore, attackers can write arbitrary content to files, including malicious scripts.
- By targeting executable scripts or configuration files used by Splunk, attackers can achieve remote code execution when these files are subsequently executed by the application.
A particularly dangerous vector involves writing a malicious Python script to a location such as /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py. When Splunk executes this script, the attacker's code runs with the privileges of the Splunk user.
Attackers can further escalate the attack by manipulating PostgreSQL connection string parameters (such as hostaddr and passfile) to force Splunk to connect to attacker-controlled databases, enabling the import of malicious SQL and facilitating arbitrary file writes and code execution.
Example Exploit Requests
To create an arbitrary file:
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup HTTP/1.1
Host: <target>
Content-Type: application/json
Authorization: Basic Og==
{"database":"search_metadata","backupFile":"../../../../../../../../../tmp/backuptest"}
To achieve RCE via restore:
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore HTTP/1.1
Host: <target>
Content-Type: application/json
Authorization: Basic cG9zdGdyZXNfYWRtaW46
{"database":"dbname=template1 passfile=/opt/splunk/var/packages/data/postgres/.pgpass","backupFile":"/tmp/poc"}
A detection artifact generator and proof-of-concept exploit are available from WatchTowr Labs.
Detection and Forensics
Indicators of compromise include unexpected files in directories such as /tmp/ or /opt/splunk/var/run/supervisor/pkg-run/, modified or overwritten Splunk Python scripts (notably in the splunk_secure_gateway app), the presence of files like /opt/splunk/share/splunk/search_mrsparkle/exposed/watchTowr.txt, and unusual outbound connections from Splunk to unknown PostgreSQL servers.
MITRE ATT&CK Mapping
This vulnerability aligns with several MITRE ATT&CK techniques: T1190 (Exploit Public-Facing Application), T1059 (Command and Scripting Interpreter), T1569.002 (System Services: Service Execution), and T1105 (Ingress Tool Transfer).
Exploitation in the Wild
Active exploitation of CVE-2026-20253 has been confirmed by both Splunk PSIRT and CISA, with the vulnerability added to the KEV catalog on June 18, 2026. WatchTowr Labs has published a detailed technical analysis and a working exploit, significantly lowering the barrier for both opportunistic and targeted attacks.
The attack surface is broad: Splunk Enterprise deployments on AWS are vulnerable by default, while on-premise installations may require explicit enabling of the PostgreSQL Sidecar Service. The availability of public proof-of-concept code and the trivial nature of exploitation (no authentication required) make this vulnerability highly attractive to a wide range of threat actors.
APT Groups using this vulnerability
As of the time of this report, there is no public attribution of exploitation of CVE-2026-20253 to specific advanced persistent threat (APT) groups. However, the combination of active exploitation, public proof-of-concept code, and the critical impact of the vulnerability makes it highly likely that both opportunistic cybercriminals and sophisticated threat actors will incorporate this exploit into their toolkits. The lack of authentication and the potential for full remote code execution mean that any organization running affected versions of Splunk Enterprise is at significant risk, regardless of sector or geography.
Affected Product Versions
The following versions of Splunk Enterprise are affected by CVE-2026-20253:
Splunk Enterprise versions 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6 are vulnerable. The issue is resolved in versions 10.2.4 and 10.0.7, respectively. Splunk Enterprise version 10.4.0 and later, as well as all versions of Splunk Cloud Platform, are not affected. Additionally, Splunk Enterprise versions 9.4.x and earlier are not impacted by this vulnerability.
Workaround and Mitigation
The primary mitigation is to upgrade Splunk Enterprise to a fixed version: 10.2.4, 10.0.7, or 10.4.0 and above. Organizations unable to upgrade immediately should disable the PostgreSQL Sidecar Service by adding the following configuration to $SPLUNK_HOME/etc/system/local/server.conf:
[postgres]
disabled = true
After making this change, a restart of Splunk Enterprise is required. It is important to note that disabling the PostgreSQL Sidecar Service will break functionality for Edge Processor, OpAmp, or SPL2 data pipelines, which may impact certain operational workflows.
Organizations should also monitor for indicators of compromise, such as unexpected files or modified scripts, and review outbound connections from Splunk servers for signs of malicious activity.
References
For further technical details and official advisories, consult the following resources:
Splunk Advisory SVD-2026-0603: https://advisory.splunk.com/advisories/SVD-2026-0603 NVD CVE-2026-20253: https://nvd.nist.gov/vuln/detail/CVE-2026-20253 WatchTowr Labs Technical Writeup & PoC: https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/ CISA KEV Catalog Entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-20253
Rescana is here for you
Rescana is committed to helping organizations proactively manage third-party and supply chain cyber risk. Our advanced TPRM platform empowers security teams to continuously monitor, assess, and mitigate vulnerabilities across their digital ecosystem. If you have any questions about this advisory or require assistance with your cybersecurity posture, our experts are ready to help. Please contact us at ops@rescana.com.
