- Splunk has patched a critical vulnerability, CVE-2026-20253, rated 9.8 on the CVSS scale, allowing unauthenticated file operations and potential remote code execution.
- The flaw exists in Splunk Enterprise versions below 10.2.4 and 10.0.7 due to an unprotected PostgreSQL sidecar service endpoint.
- Security researchers at watchTowr Labs detailed how the flaw could be weaponized for pre-authenticated RCE, though no active exploitation has been reported.
On June 13, 2026, security firm Splunk, now part of Cisco, urgently addressed a severe flaw in its enterprise software. The vulnerability could let remote attackers run arbitrary code on unpatched systems without requiring any login credentials.
Consequently, the company released security updates for Splunk Enterprise versions 10.0.7 and 10.2.4. In an alert this week, Splunk said the issue stems from a PostgreSQL sidecar service endpoint that lacks authentication controls.
Meanwhile, researchers Piotr Bazydlo and Yordan Ganchev from watchTowr Labs released technical details showing how the flaw enables pre-authenticated remote code execution. They explained an attacker could connect to a malicious database and use the /backup and /restore endpoints to write files.
This arbitrary file write could then be escalated to full remote code execution by overwriting a Python script that Splunk frequently executes. The entire attack chain involves creating a database, dropping a malicious dump, and triggering its execution during restoration.
Therefore, users of affected versions must apply the patches immediately to secure their systems. Splunk Cloud platforms are not impacted, as they do not use the vulnerable PostgreSQL sidecars.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
