Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Unauthenticated Arbitrary File Creation/Truncation in Splunk Enterprise PostgreSQL Sidecar Service

IdentifiersCVE-2026-20253CWE-306· Missing Authentication for…

CVE-2026-20253 is a critical missing-authentication vulnerability in the PostgreSQL sidecar service used by Splunk Enterprise 10.x. In affected releases, the PostgreSQL sidecar recovery endpoint does not enforce authentication, allowing any network-reachable attacker to invoke file-related operations without credentials. Splunk states that affected versions are Splunk Enterprise 10.2 prior to 10.2.4 and 10.0 prior to 10.0.7; Splunk Enterprise 9.4 and earlier are not affected. The vulnerable functionality is exposed through PostgreSQL sidecar recovery endpoints used for backup and restore operations, including paths such as /v1/postgres/recovery/backup and /v1/postgres/recovery/restore as proxied through Splunk Web. Public technical analysis indicates attacker-controlled parameters can be used to create or truncate arbitrary files on the underlying system, and the file-write primitive can be chained with PostgreSQL restore behavior and functions such as lo_export to achieve remote code execution as the Splunk service account.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote unauthenticated attacker to create arbitrary files or truncate existing files on the target Splunk server. This can cause destruction or corruption of logs, configuration, or application data, resulting in service disruption, loss of visibility, and integrity compromise. Public reporting and technical analysis further indicate the primitive can be escalated to pre-authentication remote code execution by restoring attacker-controlled PostgreSQL content and writing executable or routinely invoked files within the Splunk installation. In practice, this can lead to full compromise of the Splunk application environment, exposure of stored credentials, tampering with security data, persistence, and potential lateral movement into connected internal systems.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, Splunk states the vulnerability can be mitigated by disabling the PostgreSQL sidecar service. Additional temporary risk reduction measures supported by the content include restricting network access to Splunk management and PostgreSQL sidecar recovery endpoints, limiting exposure to trusted administrative networks only, and monitoring for indicators such as requests containing traversal sequences, unexpected use of pg_dump or pg_restore, unusual dump-file creation, outbound connections from Splunk to unknown PostgreSQL servers, and suspicious file modifications within the Splunk installation. These measures reduce exposure but are not a substitute for applying the vendor fix.

Remediation

Patch, then assume compromise.

Upgrade Splunk Enterprise to a fixed release: 10.2.4 or later for the 10.2.x branch, or 10.0.7 or later for the 10.0.x branch. Splunk Enterprise 10.4.0 and later are described as not affected. If applicable to the deployment context described in the supporting content, ensure any affected Splunk Cloud Platform instances are updated to the vendor-fixed versions. Because this vulnerability has been reported as actively exploited, remediation should be treated as urgent, and organizations should also perform post-patch compromise assessment and incident response review for signs of prior exploitation.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 3 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 3 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SplunkCloud Platformapplication
SplunkEnterpriseapplication
SplunkSplunkapplication
SplunkSplunk Enterpriseapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

168 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

168 SOURCESView more in app
zscaler threat labzNews
Jun 26, 2026
Splunk Enterprise RCE (CVE-2026-20253) | ThreatLabz

An unauthenticated remote code execution vulnerability in Splunk Enterprise caused by exposure of PostgreSQL sidecar recovery functionality through Splunk Web, enabling proxy access to internal endpoints, arbitrary file creation/write, credential reuse via .pgpass, and eventual code execution.

Read more
security affairsNews
Jun 19, 2026
U.S. CISA adds Splunk Enterprise flaw to its Known Exploited Vulnerabilities catalog and urges agencies to fix it by Sunday

An improper authentication vulnerability in the PostgreSQL sidecar service of Splunk Enterprise that allows unauthenticated remote attackers to create or truncate arbitrary files on affected systems.

Read more
cyber security newsNews
Jun 19, 2026
CISA Warns of Splunk Enterprise Critical Function Vulnerability Actively Exploited in Attacks

A critical missing-authentication vulnerability in Splunk Enterprise affecting a PostgreSQL sidecar service endpoint, allowing unauthenticated attackers to create or truncate arbitrary files on affected systems.

Read more
bleeping computerNews
Jun 19, 2026
CISA: Splunk Enterprise flaw actively exploited, patch by Sunday

A critical Splunk Enterprise vulnerability caused by missing authentication controls on a PostgreSQL sidecar service endpoint, allowing unauthenticated arbitrary file creation or truncation and potentially enabling remote code execution.

Read more
+18 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity142

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-20253
NVD
nvd.nist.gov/vuln/detail/CVE-2026-20253
MITRE CWE · CWE-306
Missing Authentication for Critical Function
Vendor Advisory
advisory.splunk.com/advisories/SVD-2026-0603
labs.watchtowr.com
labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce