CVE-2026-20253

CRITICAL KEV NUCLEI

Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-20253 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 18, 2026. EIP tracks 3 public exploits from researchers including watchtowrlabs, HORKimhab, 0xBlackash. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains a Python script that checks for the presence of CVE-2026-20253 by probing the `/v1/postgres/recovery/backup` endpoint in Splunk's PostgreSQL Sidecar Service. It does not exploit the vulnerability but detects potential exposure based on HTTP response codes.

Description

In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

Exploits (3)

github SCANNER 1 stars
by watchtowrlabs · pythonpoc
https://github.com/watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253

The repository contains a Python script that checks for the presence of CVE-2026-20253 by probing the `/v1/postgres/recovery/backup` endpoint in Splunk's PostgreSQL Sidecar Service. It does not exploit the vulnerability but detects potential exposure based on HTTP response codes.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Splunk Enterprise (10.2.0-10.2.3, 10.0.0-10.0.6)
No auth needed
Prerequisites: Network access to the Splunk instance · PostgreSQL Sidecar Service enabled
devstral-2 · analyzed Jun 13, 2026 Full analysis →
github SUSPICIOUS
by HORKimhab · shellpoc
https://github.com/HORKimhab/CVE-2026-20253

The repository lacks functional exploit code for CVE-2026-20253 and instead contains a generic script for removing nested Git directories and a boilerplate README with no technical details about the vulnerability.

Classification
Suspicious 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Jun 14, 2026 Full analysis →
nomisec SCANNER
by 0xBlackash · poc
https://github.com/0xBlackash/CVE-2026-20253

The repository contains a Python script that checks for the presence of vulnerable endpoints in Splunk Enterprise related to CVE-2026-20253. It does not exploit the vulnerability but scans for exposed endpoints that could lead to unauthenticated arbitrary file creation.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Splunk Enterprise versions below 10.2.4 and 10.0.7
No auth needed
Prerequisites: Network access to Splunk management port (default: 8089)
devstral-2 · analyzed Jun 14, 2026 Full analysis →

Nuclei Templates (1)

Splunk Enterprise & Cloud Platform - Unrestricted File Upload
CRITICALVERIFIEDby watchtowrlabs,DhiyaneshDk
FOFA: body="enterprise" && body="splunk"

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0173
EPSS Percentile 74.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-06-18
VulnCheck KEV 2026-06-15
ENISA EUVD EUVD-2026-36088
CWE
CWE-306
Status published
Products (5)
splunk/splunk 10.0.0 - 10.0.7
Splunk/Splunk Cloud Platform 10.2.2510 - 10.2.2510.14
Splunk/Splunk Cloud Platform 10.4.2604 - 10.4.2604.3
Splunk/Splunk Enterprise 10.0 - 10.0.7
Splunk/Splunk Enterprise 10.2 - 10.2.4
Published Jun 10, 2026
KEV Added Jun 18, 2026
Tracked Since Jun 11, 2026