CVE-2026-20253: Pre-Auth RCE in Splunk Enterprise

Published Date: June 15, 2026
Category: ShadowOpsIntel
Share:

CVE-2026-20253 is a severe security flaw affecting Splunk Enterprise and Splunk Cloud Platform. The flaw exists within a Go-based “PostgreSQL Sidecar Service” component introduced in version 10.0. Due to missing authentication controls on a public reverse-proxy route, an unauthenticated remote attacker can interact directly with internal database utility endpoints. By exploiting command argument injection via these endpoints, attackers can achieve an arbitrary file write primitive and subsequent Pre-Authentication Remote Code Execution (Pre-Auth RCE) on the underlying host operating system.

Severity: Critical

Vulnerability Overview

  • CVE ID: CVE-2026-20253
  • CVSS Score: 9.8
  • Vulnerability Type: Missing Authentication for Critical Function (CWE-306) leading to Path Traversal and Pre-Authentication Remote Code Execution (Pre-Auth RCE).
  • Affected: Splunk Enterprise versions below 10.2.4 and 10.0.7
  • Fixed in: Splunk Enterprise versions 10.4.0, 10.2.4 and 10.0.7, or higher.

Technical Vulnerability Details

Root Cause

The PostgreSQL Sidecar Service endpoint (/v1/postgres/recovery/backup and /v1/postgres/recovery/restore) lacks application-level authentication controls, relying solely on database-level authentication which can be bypassed.

Vulnerable Endpoints

  • POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
  • POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
  • Service listens on 127.0.0[.]1:5435 internally; accessible via main web app proxy on port 8000

Vulnerable Code Pattern

backupCommand uses pg_dump with:

User parameter: -U (attacker-controlled via Authorization header)

  • Database parameter: trailing positional argument (attacker-controlled)
  • Database parameter accepts PostgreSQL connection strings
  • Connection string options override hardcoded -h localhost parameter

Exploitation Chain

Phase 1: Initial Access & Reconnaissance

  1. Access PostgreSQL backup/restore endpoints via main Splunk web interface (port 8000)
  2. No credentials required; accept arbitrary values in Authorization: Basic header
  3. Enumerate available endpoints via binary string analysis

Phase 2: Connection String Injection

  1. Inject PostgreSQL connection string parameters via database parameter
  2. Override hardcoded localhost with attacker-controlled host via hostaddr parameter
  3. Force Splunk PostgreSQL service to connect to attacker-controlled database

Phase 3: Credential Theft

  1. Discover .pgpass file at /opt/splunk/var/packages/data/postgres/.pgpass
  2. File contains plaintext PostgreSQL credentials: postgres_admin user + password hash
  3. Inject passfile parameter pointing to Splunk’s .pgpass location

Phase 4: Malicious Database Injection

  1. Create attacker-controlled PostgreSQL database with embedded SQL functions
  2. Use lo_export() function to write arbitrary file content during restore operation
  3. Dump malicious database onto Splunk filesystem via /backup endpoint
  4. Restore malicious database dump via /restore endpoint (triggers function execution)

Phase 5: Code Execution

  1. Identify frequently-executed Python script: /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py
  2. Overwrite script with attacker payload using arbitrary file write primitive
  3. Script executes with splunk user privileges on next scheduled run
  4. RCE achieved

Detection Indicators

Network Indicators

  • POST requests to /en-US/splunkd/__raw/v1/postgres/recovery/* endpoints
  • Requests with hostaddr parameter in JSON body
  • Requests with passfile parameter pointing to .pgpass locations
  • Requests with ../ path traversal sequences in backupFile parameter

File System Indicators

  • Unexpected files created in /opt/splunk/var/run/supervisor/pkg-run/ directories
  • Modifications to /opt/splunk/etc/apps/splunk_secure_gateway/bin/ scripts
  • Files created with suspicious names matching backup patterns

HTTP Response Indicators

  • HTTP 200 responses to unauthorized /v1/postgres/recovery/ requests
  • Response includes JSON with id field (backup operation ID)

Recommendations

  1. Upgrade Splunk Enterprise to patched versions.
  2. If on AWS or with Sidecar enabled: disable PostgreSQL Sidecar Service if not required.
  3. Restrict external access to Splunk’s web interface port (default 8000/TCP).

Sources:

  • https://labs.watchtowr.com/why-use-app-level-auth-when-every-database-has-auth-splunk-enterprise-cve-2026-20253-pre-auth-rce/
  • https://advisory.splunk.com/advisories/SVD-2026-0603

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

×

7th August 2026

New Delhi, India

Know more
Talk to an expert