ctipilot.ch

Splunk Enterprise pre-auth RCE via unauthenticated PostgreSQL sidecar REST API proxied by web tier, CVSS 9.8

cve · CVE-2026-20253

Coverage timeline
1
first 2026-06-14 → last 2026-06-14
Briefs
1
1 distinct
Sources cited
9
8 hosts
Sections touched
1
deep_dive
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-06-14CTI Daily Brief — 2026-06-14
    deep_diveDeep dive + § 2. Sidecar PostgreSQL Go REST API (loopback 5435) proxied via /en-US/splunkd/__raw/v1/postgres/ with empty Basic creds -> SQL injection in backup/restore -> RCE. Splunk-on-AWS default-vulnerable. T1190/T1059. No ITW yet. Fixed 10.4.0/10.2.4/10.0.7.

Where this entity is cited

  • deep_dive1

Source distribution

  • attack.mitre.org2 (22%)
  • advisory.splunk.com1 (11%)
  • labs.watchtowr.com1 (11%)
  • blog.sekoia.io1 (11%)
  • enisa.europa.eu1 (11%)
  • securityaffairs.com1 (11%)
  • thehackernews.com1 (11%)
  • wpscan.com1 (11%)

External references

NVD · cve.org · CISA KEV

All cited sources (9)

Items in briefs about Splunk Enterprise pre-auth RCE via unauthenticated PostgreSQL sidecar REST API proxied by web tier, CVSS 9.8 (2)

CVE-2026-20253 — Splunk Enterprise: unauthenticated arbitrary file creation/truncation via the PostgreSQL sidecar proxy `[SINGLE-SOURCE]`

From CTI Weekly Summary — 2026-W24 (Jun 08 – Jun 14, 2026) · published 2026-06-14 · view item permalink →

Disclosed this week and not yet seen exploited, but it belongs in the operationally-critical tier because Splunk is the SIEM/log-analytics backbone in many SOCs — including public-sector ones — and an unauthenticated flaw on your detection platform is a defender's worst-case blind spot. Per Splunk's advisory, CVE-2026-20253 (CVSS 9.8, CWE-306 Missing Authentication for Critical Function) lets an unauthenticated actor create or truncate arbitrary files via the bundled PostgreSQL sidecar proxy in Splunk Enterprise 10.0.0–10.0.6 and 10.2.0–10.2.3 — a primitive that can be chained toward code execution but which the advisory itself scopes as file creation/truncation rather than direct RCE (Splunk SVD-2026-0603; daily 06-14). Patch to the fixed maintenance releases; where the Splunk web/API tier is internet-reachable, restrict it now — a compromised SIEM lets an attacker both pivot and rewrite the evidence.

CVE-2026-20253 — Splunk Enterprise: unauthenticated pre-auth RCE via the PostgreSQL sidecar proxy

From CTI Daily Brief — 2026-06-14 · published 2026-06-14 · view item permalink →

CVE-2026-20253 (CVSS 9.8, CWE-306 Missing Authentication for Critical Function) is an unauthenticated remote code execution flaw in Splunk Enterprise 10.0.0–10.0.6 and 10.2.0–10.2.3 (Splunk SVD-2026-0603, 2026-06-10). watchTowr Labs, which published the full mechanism on 12 June, reports that Splunk-on-AWS is vulnerable out of the box because the PostgreSQL sidecar is enabled by default (watchTowr Labs, 2026-06-12). This brief's deep dive (§ 5) covers the sidecar-proxy chain, detection and patching in detail; fixed versions are 10.4.0, 10.2.4 and 10.0.7.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-10520 Ivanti Sentry (MDM gateway) 10.0 n/a Yes (2026-06-11) Yes — gateways backdoored (Shadowserver) R10.5.2 / R10.6.2 / R10.7.1 Security Affairs
CVE-2026-10795 UpdraftPlus WordPress plugin ≤ 1.26.4 8.1 n/a No Not confirmed ITW; mechanism public, Wordfence preventive rules 1.26.5 WPScan
CVE-2026-20253 Splunk Enterprise 10.0.x / 10.2.x 9.8 n/a No PoC/analysis public; no ITW reported 10.4.0 / 10.2.4 / 10.0.7 Splunk SVD-2026-0603

(CVE-2026-10520 is carried as the § 0 Immediate Action and § 4 UPDATE; included here for the gate-clearing exploitation picture. CVEs that did not clear a § 2 inclusion gate this run — CVE-2026-47210 (vm2) and CVE-2026-12183 (BUK TS-G) — are noted in § 7.)