Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
Advisory ID: SVD-2026-0603
CVE ID: CVE-2026-20253
Published: 2026-06-10
Last Update: 2026-06-10
CVSSv3.1 Score: 9.8, Critical
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-306
Bug ID: VULN-67169
Description
In Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint.
The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
See Secure Splunk Enterprise in the Splunk documentation for more information.
Solution
Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4 and 10.0.7, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | splunkd | Not affected | 10.4.0 |
| Splunk Enterprise | 10.2 | splunkd | 10.2.0 to 10.2.3 | 10.2.4 |
| Splunk Enterprise | 10.0 | splunkd | 10.0.0 to 10.0.6 | 10.0.7 |
| Splunk Cloud Platform | 10.4.2604 | splunkd | Below 10.4.2604.3 | 10.4.2604.3 |
| Splunk Cloud Platform | 10.2.2510 | splunkd | Below 10.2.2510.14 | 10.2.2510.14 |
Mitigations and Workarounds
None
Detections
None
Severity
Splunk rates this vulnerability a 9.8, Critical, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Acknowledgments
Alex Hordijk (hordalex)