RSS

Splunk Enterprise PostgreSQL sidecar has no auth (CVE-2026-20253, CVSS 9.8)

slvnx1 pts0 comments

CVE-2026-20253: Splunk Enterprise Unauthenticated File Access via PostgreSQL Sidecar — RECON Blog

Professional network intelligence for the field. 18 instrument modules — ping, traceroute, DNS, port scan, WHOIS, TLS, LAN sweep, throughput — in one tactical iOS workspace.

Designed for security/IR teams, military NetOps, network engineers and sysadmins.

JUNE 10, 2026CVSS 9.8 · CRITICAL5 MIN READ<br>CVE-2026-20253: Splunk Enterprise Unauthenticated File Access via PostgreSQL Sidecar — How to Find Exposed Instances<br>Splunk Enterprise ships a PostgreSQL sidecar service that lacks authentication controls. Any network-reachable attacker can create or truncate arbitrary files on the Splunk server — no credentials required. CVSS 9.8 Critical, part of a 12-advisory batch that includes a separate RCE via deserialization. Here's how to find Splunk instances on your network and verify they're patched.<br>The Vulnerability<br>CVE-2026-20253 (CWE-306: Missing Authentication for Critical Function) is a critical vulnerability in Splunk Enterprise's Storage sidecar — a PostgreSQL-based backing service introduced in the 10.x architecture. The sidecar exposes a service endpoint that performs file operations (create and truncate) but has no authentication controls whatsoever. Any user who can reach the endpoint over the network can invoke these operations without credentials.<br>CVSS: 9.8 Critical (v3.1) — AV:N/AC:L/PR:N/UI:N — SVD-2026-0603<br>CWE: CWE-306 (Missing Authentication for Critical Function)<br>AFFECTED: Splunk Enterprise 10.2.0–10.2.3, 10.0.0–10.0.6; Splunk Cloud Platform below 10.4.2604.3 and 10.2.2510.14<br>FIXED: Splunk Enterprise 10.4.0, 10.2.4, 10.0.7; Splunk Cloud Platform 10.4.2604.3, 10.2.2510.14<br>EXPLOITED: No known exploitation in the wild (not in CISA KEV)<br>CREDIT: Alex Hordijk (hordalex)

The impact is severe: arbitrary file creation enables potential remote code execution by placing malicious content in web-accessible directories or overwriting configuration files. File truncation enables denial of service by wiping index data, logs, or critical configuration. The maximum exploitability score (3.9) reflects the trivial attack requirements — network-reachable, no authentication, no user interaction.<br>The PostgreSQL Storage Sidecar<br>The Storage sidecar is a relatively new component in Splunk Enterprise 10.x. It runs alongside splunkd as a managed subprocess and provides a full PostgreSQL cluster stack including PostgreSQL instances (ports 5432–5435), PgBouncer connection pooler (6432), Patroni HA manager (8008), and etcd consensus (2379–2380). An IPC Broker on port 8194 coordinates inter-sidecar communication. The vulnerability exists because one of these service endpoints lacks authentication, allowing any network-reachable user to invoke file operations directly.<br>Related: CVE-2026-20251 (RCE via Deserialization)<br>The same advisory batch includes CVE-2026-20251 (CVSS 8.8 High) — remote code execution through unsafe deserialization in Splunk Secure Gateway. A low-privileged user (no admin role needed) can inject malicious Python objects via the KV Store, which are deserialized by the jsonpickle library without validation. This affects a broader range of Splunk versions including 9.3.x and 9.4.x. The mitigation is disabling the Splunk Secure Gateway app, but this breaks Splunk Mobile, Spacebridge, and Mission Control.<br>Investigation Workflow<br>Splunk is one of the most widely deployed SIEM platforms in enterprise environments. If your organization runs Splunk Enterprise 10.x, you need to identify every instance and verify it's patched. Here's how to find Splunk servers on your network using RECON.<br>1. Port Scan: Find Splunk Services<br>Splunk Enterprise exposes several well-known ports. Scan your network for the primary Splunk services:<br>• 8000 — Splunk Web (UI)<br>• 8089 — splunkd management REST API<br>• 8088 — HTTP Event Collector (HEC)<br>• 8191 — KV Store<br>• 9997 — Forwarder receiving port<br>For this specific CVE, also scan for the PostgreSQL sidecar ports: 5432, 6432 (PgBouncer), 8008 (Patroni), and 8194 (IPC Broker). If any of these ports are reachable from outside the Splunk server, the sidecar may be directly exposed to CVE-2026-20253.<br>2. TLS Inspect: Identify Splunk Certificates<br>Splunk generates self-signed certificates for its management API and web interface during installation. Pull the TLS certificate chain on ports 8089 and 8000. Look for:<br>• Issuer or subject fields containing Splunk, SplunkServerDefaultCert, or SplunkCommonCA<br>• The default CN SplunkServerDefaultCert — very common in deployments that haven't replaced the default TLS configuration<br>• Self-signed certificates on the management port 8089<br>3. HTTP Headers: Fingerprint Splunk Web<br>Splunk Web on port 8000 returns distinctive HTTP response headers and page content. Look for:<br>• X-Frame-Options: SAMEORIGIN and Server headers characteristic of Splunk<br>• Login page redirects to /en-US/account/login — the default Splunk login path<br>• Response body containing Splunk branding,...

splunk enterprise sidecar postgresql network file

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.