Splunk Enterprise Pre-Auth RCE via PostgreSQL Sidecar (CVE-2026-20253)
by Piotr (@chudyPB) / watchTowr · 2026-06-28
- Severity
- Critical
- CVE
- CVE-2026-20253
- Category
- web
- Affected product
- Splunk Enterprise
- Affected versions
- 10.0.0–10.0.6, 10.2.0–10.2.3 (NOT 9.x)
- Disclosed
- 2026-06-28
- Patch status
- patched
References
Archive entry
intelseclab/poc-archiveMetadata
| Field | Value |
|---|---|
| Date Added | 2026-06-28 |
| Last Updated | 2026-06-12 |
| Author / Researcher | Piotr (@chudyPB) / watchTowr |
| CVE / Advisory | CVE-2026-20253 |
| Category | web |
| Severity | Critical |
| CVSS Score | N/A (Critical, pre-auth RCE chain; see vendor advisory SVD-2026-0603) |
| Status | PoC |
| Tags | pre-auth, RCE, PostgreSQL, Splunk, CISA-KEV, lo-export, sidecar, unauthenticated, file-write |
| Related | N/A |
Affected Target
| Field | Value |
|---|---|
| Software / System | Splunk Enterprise |
| Versions Affected | 10.0.0–10.0.6, 10.2.0–10.2.3 (NOT 9.x) |
| Language / Platform | Python (PoC); Linux (target) |
| Authentication Required | No (unauthenticated) |
| Network Access Required | Yes (HTTP/HTTPS, default port 8000) |
Summary
CVE-2026-20253 is a critical unauthenticated RCE vulnerability in Splunk Enterprise arising from a missing authentication check on the PostgreSQL sidecar service endpoint /v1/postgres/recovery/backup. An unauthenticated attacker can reach this endpoint and exploit the PostgreSQL lo_export function to write arbitrary files to the OS, which can be chained to achieve remote code execution. A watchTowr PoC was published; exploitation spiked shortly after. CISA added to KEV on June 18, 2026 with a federal remediation deadline of June 21.
Vulnerability Details
Root Cause
The PostgreSQL sidecar service bundled with Splunk Enterprise exposes an unauthenticated HTTP endpoint at /v1/postgres/recovery/backup. This endpoint allows interaction with the PostgreSQL process without credentials, enabling the lo_export function to write attacker-controlled data to arbitrary filesystem paths. Written content can include a Splunk scripted input or SOAR playbook that triggers RCE when the Splunk process loads it.
Attack Vector
- Send unauthenticated HTTP request to
http://TARGET:8000/<region>/v1/postgres/recovery/backup. - Exploit
lo_exportto write a malicious file to a Splunk-loaded path. - Trigger Splunk to load the file → RCE as the Splunk service user.
Impact
Unauthenticated remote code execution as the Splunk service account. Splunk typically runs with broad filesystem access and may have credentials for integrated data sources (cloud APIs, databases, SIEMs).
Environment / Lab Setup
Target: Splunk Enterprise 10.0.0–10.0.6 or 10.2.0–10.2.3, Linux
Attacker: Python 3 with requests
Proof of Concept
Detection Script
See
watchTowr-vs-Splunk-CVE-2026-20253.pyin this folder. Detection only — checks endpoint accessibility, does not exploit.
| |
Expected Output (vulnerable)
[+] VULNERABLE - access to /v1/postgres/recovery/backup not blocked
Expected Output (patched)
[-] NOT VULNERABLE - access to /v1/postgres/recovery/backup blocked
Detection & Indicators of Compromise
| |
Remediation
| Action | Detail |
|---|---|
| Patch | Upgrade to Splunk Enterprise 10.4.0, 10.2.4, or 10.0.7 |
| Verify | splunk version; confirm endpoint returns 401 post-patch |
| Vendor advisory | https://advisory.splunk.com/advisories/SVD-2026-0603 |
References
Notes
Auto-ingested from https://github.com/watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253 on 2026-06-28. First Splunk CVE ever added to CISA KEV (June 18, 2026; federal deadline June 21). The included script is a detection artifact — the full lo_export → RCE chain is documented in the watchTowr blog post but not included here. Older Splunk 9.x builds do not ship the vulnerable PostgreSQL sidecar and are not affected.
| |