Authenticated Remote Code Execution Risk in Splunk Enterprise

The Vulnerability and Its Impact

Splunk has released urgent security patches for a critical vulnerability in its Enterprise platform that allows an unauthenticated attacker to perform file operations and achieve remote code execution. Tracked as CVE-2026-20253, this flaw carries a CVSS severity score of 9.8. The root cause lies in a PostgreSQL sidecar service endpoint that lacks authentication controls, enabling any network-reachable user to create, truncate, or manipulate files without providing credentials. The affected versions include Splunk Enterprise 10.0.0 through 10.0.6 and 10.2.0 through 10.2.3, with fixes available in versions 10.0.7 and 10.2.4. Splunk Cloud is not affected as it does not use Postgres sidecars.

Contents

The Vulnerability and Its Impact How the Attack Chain Works Urgency and Remediation

How the Attack Chain Works

Researchers at watchTowr Labs published technical details revealing that exploitation hinges on two specific endpoints: “/v1/postgres/recovery/backup” and “/v1/postgres/recovery/restore”. An attacker first connects to a database they control and dumps its contents to an arbitrary file on the Splunk system. They then restore that dump into the local PostgreSQL instance by providing a path to a “.pgpass” file, which leaks the password for the “postgres_admin” user. The malicious dump defines a new function that uses lo_export to write attacker-controlled content as a file on the filesystem. This function executes automatically during the restore process. From there, the attacker achieves remote code execution by overwriting a frequently executed Python script, such as “/opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py”, with their own payload.

Urgency and Remediation

While there is currently no evidence of active exploitation in the wild, the public availability of exploit details significantly raises the risk of opportunistic attacks. Splunk urges all administrators of on-premises Enterprise deployments to apply the patches immediately. Organizations running Splunk Cloud are not exposed to this specific vulnerability and do not require action.

Source: https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html

Authenticated Remote Code Execution Risk in Splunk Enterprise

The Vulnerability and Its Impact

How the Attack Chain Works

Urgency and Remediation

Trending

AWS Unveils Continuum for Automated Code Vulnerability Lifecycle

Persistent Access Through Tailscale and OpenSSH Bypasses C2 Shutdown

New Loaders BabaDeda, Lorem Ipsum, and Potemkin Spread via ClickFix Lures

Expired TLS Certificate Disrupts Microsoft 365 Connectivity Testing Tool

DPAPISnoop Tool Gains CREDHIST Extraction for Offline Password Cracking

Related Stories

AI Coding Tools Fuel a New Wave of Low Skill High Impact Cyber Attacks

Android Banking Trojan TrickMo Adds TON Network and SOCKS5 Proxy Capabilities

Sophisticated npm Malware Campaign Steals Crypto Wallets and Developer Credentials

Malicious JDownloader Installers and Deepfake Sextortion Threats Dominate Security Week