CVE-2026-20253

Vulnerability

Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, are affected by a vulnerability in a PostgreSQL sidecar service endpoint. This endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials [1].

Exploitation

An unauthenticated user can exploit this vulnerability by interacting with the PostgreSQL sidecar service endpoint. Since the endpoint lacks authentication, any user with network access to the service can trigger file creation or truncation operations without needing any prior privileges or user interaction [1].

Impact

Successful exploitation allows an attacker to create or truncate arbitrary files on the system. This can lead to denial of service by truncating critical files, or potentially allow for further system compromise depending on the files that can be created or modified, impacting confidentiality, integrity, and availability [1].

Mitigation

Upgrade Splunk Enterprise to version 10.4.0, 10.2.4, or 10.0.7, or higher. Splunk Cloud Platform instances are being actively monitored and patched, with affected versions below 10.4.2604.3 and 10.2.2510.14 being addressed [1]. No other specific mitigations or workarounds are disclosed in the available references [1].