HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-20253Published Modified CNA cisco

CVE-2026-20253: Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials. Splunk Enterprise versions 9.4 and earlier are not affected. If you cannot immediately upgrade to a fixed version, you can mitigate this vulnerability by disabling the PostgreSQL sidecar service.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
10.0.7
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated arbitrary file creation and truncation vulnerability exists in Splunk Enterprise versions 10.0.x before 10.0.7 and 10.2.x before 10.2.4. The flaw is reachable over the network with no credentials required, because the PostgreSQL sidecar service endpoint exposes file operation capabilities without any authentication controls. Successful exploitation lets an attacker create or overwrite arbitrary files on the host, enabling data tampering, service disruption, and potential code execution via file manipulation. Patched-image rebuilds at versions 10.0.7 and 10.2.4 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-20253 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Splunk Enterprise, across registries and CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.8 (Critical) and weighting findings against each environment's compliance policy to determine urgency and breach-of-threshold status. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available
Patch

A patched-image rebuild at Splunk Enterprise 10.0.7 or 10.2.4 becomes available on HarborGuard for any customer image found running an affected version. For customers who opt into auto-remediation, HarborGuard can execute the rebuild, run regression tests, and open a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable PostgreSQL sidecar service endpoint must be reachable over the network; any host that can send requests to the service is a viable attacker position.

  • AuthenticationNot required

    No credentials of any kind are required; the endpoint exposes file operations to unauthenticated callers.

  • Victim interactionNot required

    No user action is needed; the attacker sends requests directly to the service without involving any other party.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are needed to trigger the vulnerability.

Blast Radius

  • An attacker can create new files at arbitrary paths on the host filesystem, including in sensitive directories.
  • An attacker can truncate existing files, wiping configuration files, authentication databases, or application data.
  • Truncating or replacing critical Splunk files crashes or destabilizes the Splunk Enterprise service.
  • Overwriting executable or configuration files can be a stepping stone to remote code execution if the written content is subsequently loaded or executed by the service.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication and matches against all images in connected registries and pipelines, including custom-built Splunk Enterprise images. For environments running Splunk Enterprise 10.0.x or 10.2.x, a patched-image rebuild at the fixed versions (10.0.7 and 10.2.4) is available. For customers who opt into auto-remediation, HarborGuard can trigger the rebuild, execute regression tests, and open a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. If an immediate upgrade is not possible, the upstream advisory recommends disabling the PostgreSQL sidecar service as a compensating control; network-policy isolation that blocks inbound access to the sidecar service port is an additional layer worth applying until the patched image is promoted. Where compliance policy requires manual approval, HarborGuard queues the rebuild and notifies the designated owner for sign-off.

See how HarborGuard automates this

Fix available

10.0.710.2.4
Affected packages
  • Splunk / Splunk Enterprise
    < 10.2.4 (from 10.2) · < 10.0.7 (from 10.0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References