Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise
Advisory ID: SVD-2026-0603
CVE ID: CVE-2026-20253
Published: 2026-06-10
Last Update: 2026-06-15
CVSSv3.1 Score: 9.8, Critical
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-306
Bug ID: VULN-67169
Description
In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials.
See Secure Splunk Enterprise and Sidecar Configuration Settings in the Splunk documentation for more information.
Solution
Upgrade Splunk Enterprise to versions 10.4.0, 10.2.4 and 10.0.7, or higher. Splunk Enterprise versions 9.4 and earlier are not affected.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | splunkd | Not affected | 10.4.0 |
| Splunk Enterprise | 10.2 | splunkd | 10.2.0 to 10.2.3 | 10.2.4 |
| Splunk Enterprise | 10.0 | splunkd | 10.0.0 to 10.0.6 | 10.0.7 |
| Splunk Enterprise | 9.4 | splunkd | Not affected | NA |
| Splunk Enterprise | 9.3 | splunkd | Not affected | NA |
Mitigations and Workarounds
If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service. See Sidecar Configuration Settings and Postgresql Configuration.
Add the following stanza to $SPLUNK_HOME/etc/system/local/server.conf:
[postgres]
disabled = true
Restart Splunk Enterprise for the change to take effect.
Do not apply this workaround if you use Edge Processor, OpAmp, or SPL2 data pipelines on the instance. Disabling PostgreSQL breaks these features and can cascade to dependent sidecar processes. Core search, indexing, and dashboard functionality are not affected.
Detections
None
Severity
Splunk rates this vulnerability a 9.8, Critical, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. If you turn off the PostgreSQL sidecar service, there should be no impact and the severity would be informational.
Acknowledgments
Alex Hordijk (hordalex)
Changelog
2026-06-15: Added the mitigation to disable Postgres. Added Splunk Enterprise 9.4 and 9.3 minor versions to the Products list for clarity. Minor versions including and below 9.4 are not affected.
2026-06-12: Removed references to Splunk Cloud Platform. Postgres Sidecars are not used in Splunk Cloud. Splunk Cloud is not affected by this vulnerability.