Splunk has issued security updates for CVE-2026-20253, a critical flaw in Splunk Enterprise that could allow unauthenticated file operations and remote code execution through PostgreSQL sidecar endpoints. WatchTowr Labs detailed how attackers could abuse the /backup and /restore endpoints to write arbitrary files and potentially overwrite a Python script to achieve code execution. #SplunkEnterprise #CVE-2026-20253 #watchTowrLabs #Cisco
Keypoints
- CVE-2026-20253 is a critical Splunk Enterprise flaw rated 9.8 CVSS.
- Unauthenticated users could create or truncate arbitrary files through a PostgreSQL sidecar endpoint.
- The issue affects Splunk Enterprise versions below 10.2.4 and 10.0.7.
- watchTowr Labs showed how /backup and /restore could be chained for pre-auth remote code execution.
- Splunk Cloud is not impacted, and updates are available for affected releases.
Read More: https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html