Splunk has launched safety updates to handle a important safety flaw in Splunk Enterprise that might be exploited to conduct unauthenticated file operations and even distant code execution.
The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system.
“In Splunk Enterprise variations under 10.2.4 and 10.0.7, an unauthenticated person may create or truncate arbitrary information by a PostgreSQL sidecar service endpoint,” Splunk stated in an alert this week.
“The vulnerability exists as a result of the PostgreSQL sidecar service endpoint lacks authentication controls, permitting any network-reachable person to invoke file operations with out credentials.”
The difficulty has been addressed within the following variations –
- Splunk Enterprise 10.0.0 to 10.0.6 – Fastened in 10.0.7
- Splunk Enterprise 10.2.0 to 10.2.3 – Fastened in 10.2.4
- Splunk Enterprise 10.4 – Not affected
Splunk, which is a part of Cisco, stated Splunk Cloud will not be impacted by the vulnerability as Postgres sidecars should not used within the product.
What the Flaw is All About
On Friday, watchTowr Labs launched further technical particulars of CVE-2026-20253, stating it might be exploited to realize pre-authenticated distant code execution on inclined techniques by the “/v1/postgres/restoration/backup” and “/v1/postgres/restoration/restore” endpoints.
The assault chain works as follows –
- Connect with an attacker-controlled database and dump its contents into an arbitrary file utilizing the /backup endpoint
- Load the dump of the attacker-controlled database into the native PostgreSQL occasion utilizing the /restore endpoint by together with a “passfile” argument that specifies the trail to a “.pgpass” file (“/choose/splunk/var/packages/knowledge/postgres/.pgpass”) containing the password for the “postgres_admin” person
- SQL queries outlined within the database dump will get executed by Splunk’s PostgreSQL occasion
An attacker may weaponize this weak point to outline a brand new perform that makes use of lo_export – a perform used to extract a BLOB from the database and put it aside as a file on the file system – to jot down attacker-controlled content material to a file, following which the perform will get executed in the course of the restoration course of.
“At this level, we will authenticate, restore attacker-controlled SQL, and work together with the native database,” safety researchers Piotr Bazydlo and Yordan Ganchev stated. “As soon as we may restore attacker-controlled SQL into the native PostgreSQL occasion, we shortly put collectively a database dump template that gave us a managed file write.”
Armed with an arbitrary file write primitive on the Splunk file system, an attacker may escalate additional to distant code execution by overwriting a Python script that Splunk regularly executes (e.g., “/choose/splunk/and many others/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py”) to incorporate the malicious payload.
All the sequence of actions is under –
- Create a database and configure it such {that a} person can authenticate and not using a password and grant it enough permissions to invoke capabilities like lo_export
- Use the /backup endpoint to drop a dump of the distant database onto the Splunk file system
- Use the /restore endpoint to load the malicious database dump, set off execution of the malicious perform in the course of the restore course of, and write an attacker-controlled Python script to the Splunk file system
Though there isn’t any proof of the flaw being exploited within the wild, the supply of the exploit specifics could be sufficient to drive risk actors to set off opportunistic makes an attempt. It is important that customers transfer shortly to use the fixes to remain protected.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
