Critical Splunk Vulnerability (CVE-2026-20253) — RCE Risk

Colleagues, a critical vulnerability in Splunk Enterprise (CVE-2026-20253) has been disclosed.
- An unauthenticated actor can perform file operations and achieve RCE via the PostgreSQL sidecar endpoints (/v1/postgres/recovery/backup and /restore); details from watchTowr Labs.
- Affects versions before 10.2.4 and 10.0.7; fixes are 10.2.4 and 10.0.7. Splunk Cloud and 10.4 are not affected.
- Attack chain: dump remote DB via /backup, upload via /restore using passfile; lo_export writes a file and can overwrite a Python script to trigger RCE.
- Exploits not yet observed in the wild, but available PoC increases risk.
Action: apply patches and restrict network access to the PostgreSQL sidecar.
How will you secure Splunk in your environment?
#cybersecurity #Splunk #CVE2026-20253 #infosec


Latest comments
No comments yet.