CVE-2026-20253: Critical Pre-Auth RCE in Splunk Enterprise PostgreSQL Sidecar Hits AWS Deployments
WatchTowr Labs discloses CVE-2026-20253, a pre-authentication remote code execution vulnerability in the PostgreSQL Sidecar Service that ships enabled by default in Splunk Enterprise on AWS.
Security researchers at watchTowr Labs have published a detailed technical analysis of CVE-2026-20253, a pre-authentication remote code execution vulnerability in Splunk Enterprise versions 10 and above. The flaw resides in the PostgreSQL Sidecar Service, a component that Splunk introduced in version 10 to offload certain data management tasks. While the service binds only to the loopback interface on port 5435, the researchers demonstrated that "localhost only" does not prevent exploitation when an attacker can reach the main Splunk web application running on port 8000. The vulnerability carries a CVSS score of 9.8, indicating critical severity, yet the official advisory did not explicitly confirm RCE capability.
The PostgreSQL Sidecar Service is an optional component in on-premise Splunk Enterprise installations—on Windows it is not installed by default, and on Linux it is installed but not enabled by default. However, on **Splunk Enterprise deployments running on AWS, the service is both installed and enabled by default**, making a vast number of cloud-hosted Splunk instances vulnerable out of the box. According to the advisory, all Splunk Enterprise versions 10.x are affected.
WatchTowr began by locating the vulnerable service binary, splunk-postgres, a 66 MB Go-compiled binary listening on ports 5435 and 33669. Using Splunk's own documentation, they discovered the service exposes several HTTP endpoints under /v1/postgres/, including /v1/postgres/recovery/backup and /v1/postgres/recovery/restore. The documentation revealed that the backup endpoint accepts a backupFile parameter and a database parameter, immediately suggesting file-write and manipulation capabilities.
To bypass the loopback-only restriction, the researchers turned to an SSRF vector. They discovered that an authenticated user could exploit a feature in the main Splunk web application (port 8000) to forward raw HTTP requests to the PostgreSQL Sidecar Service on localhost. Since the main application is exposed to the network, an attacker who can trick an authenticated Splunk admin—or leverage another vulnerability to gain session access—can tunnel commands through the web app directly to the vulnerable PostgreSQL endpoint. This effectively renders the loopback restriction moot.
The analysis confirmed that the /v1/postgres/recovery/restore endpoint does not check user identity or authorization, and combined with the file-write primitive from the backup endpoint, an attacker can write arbitrary files to the filesystem, leading to remote code execution as the Splunk user. The proof-of-concept shows a chain: first write a malicious shared object or script to disk via the backup endpoint, then trigger its execution through the restore functionality. The SSRF pivot through the web interface eliminates the need for local network access.
Splunk Enterprise customers, especially those running on AWS, should apply the security update immediately. For environments where patching is not immediate, Splunk recommends disabling the PostgreSQL Sidecar Service if it is not required, or restricting access to the Splunk web interface to trusted IPs only. The discovery highlights a recurring pattern in modern software architecture: sidecar services that are meant to be internal helpers often expose unauthenticated APIs on loopback, only for researchers to find HTTP-level SSRF or proxy abuse that makes those APIs reachable from the outside. WatchTowr has released a full technical write-up and indicators of compromise, and urged organizations to treat this vulnerability as actively exploitable.