Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
The Hacker News • • technology
Key Points:
- Splunk has released security updates to fix a critical vulnerability (CVE-2026-20253) in Splunk Enterprise that allows unauthenticated users to perform arbitrary file operations and potentially achieve remote code execution, with a CVSS score of 9.8.
- The flaw exists due to lack of authentication controls in the PostgreSQL sidecar service endpoint, enabling any network-reachable user to create or truncate files without credentials in affected versions below 10.2.4 and 10.0.7.
- Exploitation involves using the "/v1/postgres/recovery/backup" and "/v1/postgres/recovery/restore" endpoints to dump an attacker-controlled database to the file system and restore it to execute malicious SQL functions, ultimately allowing arbitrary file writes and remote code execution.
- The vulnerability has been patched in Splunk Enterprise versions 10.0.7 and 10.2.4, with version 10.4 not affected; Splunk Cloud is not impacted since it does not use PostgreSQL sidecars.
- Although no active exploitation has been reported, detailed exploit information is publicly available, urging users to promptly update their systems to mitigate potential attacks.