Monday , July 6 2026
Splunk Enterprise

Critical Splunk Enterprise Pre-Auth RCE Chain Exposes Databases With Zero Authentication

A serious pre-authentication remote code execution (RCE) flaw in Splunk Enterprise has been revealed, earning a very high CVSS score of 9.8. Tracked as CVE-2026-20253, Splunk shared the flaw on June 10, 2026. It impacts the PostgreSQL Sidecar Service that came with Splunk version 10.

The root cause of CVE-2026-20253 lies in the PostgreSQL Sidecar Service’s HTTP API endpoints specifically /v1/postgres/recovery/backup and /v1/postgres/recovery/restore which lack any authentication controls.

“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

A new Linux flaw called “Bad Epoll” (CVE-2026-46242) lets regular users get root access on Linux servers, desktops, and Android...
Read More
“Bad Epoll” 0-Day Vulnerability Allows Root Access on Linux Servers, Android Devices

An AI performed a cyber attack without any human help for the first time

Security experts found what they think is the first time an AI carried out a cyber attack all by itself....
Read More
An AI performed a cyber attack without any human help for the first time

Singapore major data centres, cloud providers could incur fine up to $1m

Major data center and cloud service providers might have to pay a fine of up to $1 million or up...
Read More
Singapore major data centres, cloud providers could incur fine up to $1m

IBM-managed instance breach exposes personal data of 70,000 in Singapore

The Singapore Land Authority (SLA) has announced that the personal details of around 70,000 people were leaked after someone accessed...
Read More
IBM-managed instance breach exposes personal data of 70,000 in Singapore

Alibaba Reportedly Bans Claude Code for Suspected AI Tool Backdoor

Alibaba is said to be getting ready to ban the use of Anthropic’s Claude Code in its own systems starting...
Read More
Alibaba Reportedly Bans Claude Code for Suspected AI Tool Backdoor

CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a serious problem affecting Microsoft SharePoint Server to its list of...
Read More
CISA KEV Adds SharePoint RCE CVE-2026-45659 After Active Exploits

Nepal Unveils First “Hall of Fame” for Ethical Hackers

Nepal has started a 'Hall of Fame' program to honor cybersecurity researchers who safely report security flaws in government digital...
Read More
Nepal Unveils First “Hall of Fame” for Ethical Hackers

900+ Oracle E-Business instances Exposed Online

The Shadowserver Foundation found about 950 Oracle E-Business Suite (EBS) systems on the internet around the world. This discovery came...
Read More
900+ Oracle E-Business instances Exposed Online

India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

The Indian government issued a notice WhatsApp planned to roll out its new 'username' feature. They are worried about fake...
Read More
India asks WhatsApp not to roll out ‘username’ feature over fraud concerns

Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a "massive, ongoing, automated password spray attack" aimed at Microsoft's Azure command-line interface (CLI), compromising...
Read More
Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Splunk Enterprise Pre-Auth RCE

Anyone on the network can access these internal endpoints through Splunk’s main web app using a proxy. This means that attackers can call them without needing valid login details.

The biggest risk is with Splunk Enterprise on AWS, where the PostgreSQL Sidecar Service is turned on by default, making those setups easy targets.

On-site Windows setups are less quickly impacted because the service is either not installed or turned off by default.

WatchTowr found that the /backup endpoint sends attacker-controlled inputs straight to pg_dump, such as the backupFile path and database name.

Path traversal in the backupFile parameter allows anyone to create or delete files anywhere on the system.

The more important finding was about PostgreSQL’s design: the database setting can take a full libpq connection string, and any settings in it will replace fixed command-line options.

This allowed researchers to inject hostaddr and redirect pg_dump to connect to an attacker-controlled PostgreSQL server instead of localhost. With the ability to redirect pg_dump to an external host, researchers then turned to the /restore endpoint, which passes input to pg_restore.

A plaintext .pgpass file discovered at /opt/splunk/var/packages/data/postgres/.pgpass exposed the local postgres_admin credentials.

Injecting a passfile connection string that leads to this file allows attackers to log in to Splunk’s local PostgreSQL. They can then restore a database dump they control and run any SQL they want.

The harmful dump uses PostgreSQL’s lo_export function to place attacker-controlled data anywhere on the filesystem. This allows complete control over file writing as the splunk user.

With an arbitrary file write in hand, reaching RCE required only one final step. Researchers identified that Splunk regularly executes the Python script /opt/splunk/etc/apps/splunk_secure_gateway/bin/ssg_enable_modular_input.py.

This file was replaced with a harmful payload using the lo_export write method. This caused the code to run as the splunk user when Splunk ran the script again, finishing the pre-authentication RCE process.

Affected Versions and Mitigation

CVE-2026-20253 affects Splunk Enterprise versions 10.x and higher because the PostgreSQL Sidecar component was added in version 10.

Organizations using Splunk Enterprise, especially those on AWS, should update Splunk right away and check the filesystem access to the PostgreSQL Sidecar service folder.

Security teams need to check the .pgpass file and make sure the Splunk service ports are separate from outside connections.

South Korea fines Coupang Record $409 mln fine for data leak

Check Also

CLI

Azure CLI Password Spray Impacts 78 Microsoft Accounts in 81M+ Attempts

Cybersecurity researchers have warned of a “massive, ongoing, automated password spray attack” aimed at Microsoft’s …