## https://sploitus.com/exploit?id=7C02CBDF-7281-5715-BEAC-5517F65B9434
# Splunk Enterprise โ CVE-2026-20253 Training Lab
> **Splunk Enterprise 10.2.3 ยท PostgreSQL recovery sidecar ยท CWE-306 (Missing Authentication for Critical Function)**
> An authorized, self-contained reproduction that **models** the real advisory
> for defensive education. It does not ship Splunk's proprietary code.
This repository is a Vulhub/DVWA-style security-training lab. It stands up a
faithful model of **Splunk Enterprise 10.2.3** and reproduces the documented
behavior behind **CVE-2026-20253**: the bundled **PostgreSQL recovery sidecar**
exposes privileged file-write and SQL-execution functions with *no real
authentication* (a blank/any `Basic` header is accepted), and the Splunk web
tier relays `__raw/v1/postgres/*` to that sidecar **before** the login gate.
Chained, this yields **unauthenticated remote code execution** as the
non-root `splunk` service account.
The lab is fully solvable end to end: fingerprint the edge, follow a pre-auth
health badge to the internal recovery API, prove arbitrary file write, steal the
internal Postgres credential, and pivot a SQL-restore file-write primitive into
code execution on a scheduled modular-input script.
## Advisory
| | |
|---|---|
| **Vendor advisory** | SVD-2026-0603 |
| **CVE** | CVE-2026-20253 |
| **Weakness** | CWE-306 โ Missing Authentication for Critical Function |
| **Affected** | Splunk Enterprise 10.2.3 |
| **Fixed in** | Splunk Enterprise 10.2.4 |
| **CVSS 3.1** | **9.8 (Critical)** โ `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |
## Architecture
```
edge network core network
โโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
browser โโถ proxy :8080 โโโถ web :8001 (SPA)
(nginx edge) โโถ splunkd :8089 โโฌโโถ db :5432 (postgres)
login API + โโโถ redis :6379 (jobs/cache)
__raw relay โโโโผโโถ pg-sidecar :5435 โโโ THE VULN
โ (recovery API, blank Basic)
forwarders โโถ ingest :8088 (HEC) โโโโโโโโโโ
scheduler โโโถ runs modular-input script
as `splunk` (uid 1000) โ RCE sink
shared volume app_data mounted into
pg-sidecar (write) + scheduler (exec)
```
| Service | Image | Listens | Published | Role |
|---|---|---|---|---|
| `proxy` | `splunk/proxy:10.2.3` | 8080 | **8080:8080** | nginx edge; Splunk Web + `__raw` relay entrypoint |
| `web` | `splunk/web:10.2.3` | 8001 | โ | Splunk Web single-page app (static) |
| `splunkd` | `splunk/splunkd:10.2.3` | 8089 | โ | Splunk daemon / web tier: login API **+** the pre-session `/{locale}/splunkd/__raw/v1/postgres/*` relay |
| `ingest` | `splunk/ingest:10.2.3` | 8088 | **8088:8088** | HTTP Event Collector (token auth) |
| `pg-sidecar` | `splunk/pg-sidecar:10.2.3` | 5435 | โ | **THE VULNERABILITY** โ PostgreSQL recovery sidecar (`/v1/postgres/*`) |
| `scheduler` | `splunk/scheduler:10.2.3` | โ | โ | runs the scheduled modular-input script **as `splunk`** โ RCE sink |
| `db` | `postgres:16-alpine` | 5432 | โ | internal Postgres the sidecar backs up / restores |
| `redis` | `redis:7-alpine` | 6379 | โ | job queue / cache |
Two Docker bridges: `edge` (proxy) and `core` (everything else). In the
vulnerable build the `pg-sidecar` sits on `core` and is reachable from the web
tier's relay โ that reachability is the point. The patched overlay isolates it.
## Quick start
```bash
cp .env.example .env
docker compose up --build -d
```
Then browse to .
The critical exploit (the recovery sidecar) is **fully unauthenticated** โ you
do not need to log in to reach it. The seeded platform accounts below exist only
as grey-box vantage points for discovery (reading Splunk's own audit logs in
Search & Reporting). Hand participants the **analyst** account and let them
discover the rest.
### Seeded accounts
| Username | Password | Role | Notes |
|---|---|---|---|
| `admin` | `Str@ta-Admin-2026!` | **admin** | Full platform admin (Settings, Users, Data Inputs) |
| `j.okafor` | `Analyst!Winter24` | **analyst** | **Start here** โ read-only Search & Reporting console |
| `m.reyes` | `Operator#2311` | **operator** | Manages sources / cluster views |
| `svc_forwarder` | `fwd-3f9a1c77b204` | **operator** | Service account (HEC forwarder) |
> These credentials are **intentionally documented** โ this is a self-contained
> training lab, not a production system. The exercise does **not** require
> cracking or escalating any of them; the critical `pg-sidecar` recovery API is
> unauthenticated. Full operator notes live in
> [`docs/DEPLOYMENT.md`](docs/DEPLOYMENT.md).
## Objectives
There are **two flags to capture**. Both are `SPLUNK{...}` strings; their values
live in the lab and are revealed in the docs โ they are intentionally **not**
printed here so you can earn them.
1. **Flag 1 โ auth bypass + credential theft.** Reach the recovery API through
the pre-session `__raw` relay, get past the sham `Basic` auth, and leak the
internal Postgres credential from the sidecar's `.pgpass`.
2. **Flag 2 โ unauthenticated RCE as `splunk`.** Turn the sidecar's file-write
and SQL-restore primitives into code execution on the scheduled
modular-input script, then read the protected secret.
Do not skip ahead: [`docs/DISCOVERY_WALKTHROUGH.md`](docs/DISCOVERY_WALKTHROUGH.md)
is written to be discovered, not spoiled. A graduated hint ladder and the full
instructor solution exist for training staff but are kept out of this package
so the exercise stays a blind solve.
## Documentation
| Doc | Audience / purpose |
|---|---|
| [`docs/DISCOVERY_WALKTHROUGH.md`](docs/DISCOVERY_WALKTHROUGH.md) | Discovery-driven path from fingerprint to RCE |
| [`docs/ROOT_CAUSE.md`](docs/ROOT_CAUSE.md) | Why it's vulnerable (CWE-306) and how the patch fixes it |
| [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) | Services, networks, the `__raw` relay, and data flow |
| [`docs/DETECTION.md`](docs/DETECTION.md) | Blue-team detection opportunities and signatures |
| [`docs/PLAYER_GUIDE.md`](docs/PLAYER_GUIDE.md) | Participant briefing and scope |
| `docs/HINTS.md` | Graduated hint ladder โ **kept internal, not included in this package** |
| `docs/INSTRUCTOR_GUIDE.md` | **Training staff only** โ full solution + flags, **kept internal, not included** |
| [`docs/DEPLOYMENT.md`](docs/DEPLOYMENT.md) | Stand up, operate, and tear down the environment |
## Remediation
The `patched/` tree mirrors Splunk's real fix (10.2.4) plus the advisory's
workaround, layered as defense in depth: real credential validation on the
recovery routes, `backupFile` path-traversal sanitization, elimination of the
libpq connection-string injection, a non-superuser restore role, dropping the
pre-auth `__raw` relay, and network isolation of the sidecar. See
[`patched/PATCH_NOTES.md`](patched/PATCH_NOTES.md).
Bring up the hardened build with the overlay:
```bash
docker compose -f docker-compose.yml -f patched/deploy/compose.override.hardened.yml up --build -d
```
### Workaround (no patch)
Mirroring the advisory's mitigation, you can disable the recovery sidecar
entirely without patching โ the analog of setting `[postgres] disabled = true`
in `server.conf`. Set the following in your `.env` and recreate the stack:
```bash
PG_SIDECAR_DISABLED=true
```
With the sidecar disabled, the `recovery/*` functions are gone and the chain is
broken at the source.
---
> **Training material.** This lab is an authorized, self-contained reproduction
> that **models** Splunk Enterprise CVE-2026-20253 for defensive education. It
> does not contain Splunk's proprietary source or binaries; the services here
> are an independent re-implementation of the *documented* vulnerable behavior.
> Use only against this lab. Running these techniques against systems you do not
> own is illegal.
## References
- Splunk Security Advisory โ **SVD-2026-0603** โ
- NVD โ **CVE-2026-20253** โ
- Picus Security โ technical write-up of the Splunk recovery-sidecar RCE
- Orca Security โ analysis of the PostgreSQL sidecar missing-authentication flaw
- The Hacker News โ coverage of the critical Splunk Enterprise vulnerability
- Help Net Security โ advisory summary and remediation guidance
- BleepingComputer โ reporting on CVE-2026-20253