Critical Splunk Enterprise Flaw Enables Unauthenticated RCE via PostgreSQL Sidecar

Splunk has rolled out emergency security patches for a critical vulnerability in Splunk Enterprise that allows remote attackers to execute arbitrary code without any authentication credentials. Tracked as CVE-2026-20253, the flaw carries a maximum CVSS score of 9.8 and stems from a missing authentication layer on a PostgreSQL sidecar service endpoint. According to Splunk's advisory, unauthenticated users could create or truncate arbitrary files on susceptible deployments running Splunk Enterprise versions below 10.0.7 and 10.2.4. Splunk 10.4 and Splunk Cloud customers are not affected, as Cloud does not rely on PostgreSQL sidecars.

Researchers at watchTowr Labs published a full technical breakdown of the exploit chain on Friday, demonstrating how the bug translates into pre-authenticated remote code execution. The attack leverages two endpoints, /v1/postgres/recovery/backup and /v1/postgres/recovery/restore. An attacker first connects to a database they control and uses the /backup endpoint to dump its contents into an arbitrary path on the target system. They then use the /restore endpoint to load that dump into Splunk's local PostgreSQL instance, supplying a passfile argument pointing to /opt/splunk/var/packages/data/postgres/.pgpass, which contains the password for the postgres_admin user. Because the SQL queries embedded in the dump are executed during restoration, an attacker can call lo_export to write a malicious payload anywhere on the file system. Researchers Piotr Bazydlo and Yordan Ganchev noted that overwriting a frequently executed Python script, such as /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py, escalates the arbitrary file write into full remote code execution.

Security teams should prioritize patching Splunk Enterprise deployments to versions 10.0.7 or 10.2.4 immediately. Given that the vulnerable endpoint is network-reachable and requires no credentials, organizations should also verify whether their Splunk instances are exposed to the internet using a port scanner to identify any open management interfaces. Hardening internal network segmentation around the PostgreSQL sidecar port is strongly recommended as a compensating control until patching is complete. Administrators should also rotate the postgres_admin password and review Splunk logs for any signs of /v1/postgres/recovery/ endpoint abuse. Defenders can audit their credential exposure more broadly with a password checker to ensure that secrets associated with Splunk service accounts have not appeared in known breach corpora, and run a breach check on administrator emails to rule out credential reuse against the Splunk management interface.