Share
## https://sploitus.com/exploit?id=7C02CBDF-7281-5715-BEAC-5517F65B9434
# Splunk Enterprise โ€” CVE-2026-20253 Training Lab

> **Splunk Enterprise 10.2.3 ยท PostgreSQL recovery sidecar ยท CWE-306 (Missing Authentication for Critical Function)**
> An authorized, self-contained reproduction that **models** the real advisory
> for defensive education. It does not ship Splunk's proprietary code.

This repository is a Vulhub/DVWA-style security-training lab. It stands up a
faithful model of **Splunk Enterprise 10.2.3** and reproduces the documented
behavior behind **CVE-2026-20253**: the bundled **PostgreSQL recovery sidecar**
exposes privileged file-write and SQL-execution functions with *no real
authentication* (a blank/any `Basic` header is accepted), and the Splunk web
tier relays `__raw/v1/postgres/*` to that sidecar **before** the login gate.
Chained, this yields **unauthenticated remote code execution** as the
non-root `splunk` service account.

The lab is fully solvable end to end: fingerprint the edge, follow a pre-auth
health badge to the internal recovery API, prove arbitrary file write, steal the
internal Postgres credential, and pivot a SQL-restore file-write primitive into
code execution on a scheduled modular-input script.

## Advisory

| | |
|---|---|
| **Vendor advisory** | SVD-2026-0603 |
| **CVE** | CVE-2026-20253 |
| **Weakness** | CWE-306 โ€” Missing Authentication for Critical Function |
| **Affected** | Splunk Enterprise 10.2.3 |
| **Fixed in** | Splunk Enterprise 10.2.4 |
| **CVSS 3.1** | **9.8 (Critical)** โ€” `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` |

## Architecture

```
                         edge network                 core network
                    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”   โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  browser โ”€โ–ถ proxy :8080 โ”€โ”€โ–ถ web  :8001 (SPA)
             (nginx edge)  โ””โ–ถ splunkd :8089 โ”€โ”ฌโ”€โ–ถ db      :5432  (postgres)
                              login API +    โ”œโ”€โ–ถ redis   :6379  (jobs/cache)
                              __raw relay โ”€โ”€โ”€โ”ผโ”€โ–ถ pg-sidecar :5435  โ—€โ”€โ”€ THE VULN
                                             โ”‚       (recovery API, blank Basic)
  forwarders โ”€โ–ถ ingest :8088 (HEC) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                                       scheduler โ”€โ”€โ–ถ runs modular-input script
                                                     as `splunk` (uid 1000) โ€” RCE sink
                                       shared volume app_data mounted into
                                       pg-sidecar (write) + scheduler (exec)
```

| Service | Image | Listens | Published | Role |
|---|---|---|---|---|
| `proxy` | `splunk/proxy:10.2.3` | 8080 | **8080:8080** | nginx edge; Splunk Web + `__raw` relay entrypoint |
| `web` | `splunk/web:10.2.3` | 8001 | โ€” | Splunk Web single-page app (static) |
| `splunkd` | `splunk/splunkd:10.2.3` | 8089 | โ€” | Splunk daemon / web tier: login API **+** the pre-session `/{locale}/splunkd/__raw/v1/postgres/*` relay |
| `ingest` | `splunk/ingest:10.2.3` | 8088 | **8088:8088** | HTTP Event Collector (token auth) |
| `pg-sidecar` | `splunk/pg-sidecar:10.2.3` | 5435 | โ€” | **THE VULNERABILITY** โ€” PostgreSQL recovery sidecar (`/v1/postgres/*`) |
| `scheduler` | `splunk/scheduler:10.2.3` | โ€” | โ€” | runs the scheduled modular-input script **as `splunk`** โ†’ RCE sink |
| `db` | `postgres:16-alpine` | 5432 | โ€” | internal Postgres the sidecar backs up / restores |
| `redis` | `redis:7-alpine` | 6379 | โ€” | job queue / cache |

Two Docker bridges: `edge` (proxy) and `core` (everything else). In the
vulnerable build the `pg-sidecar` sits on `core` and is reachable from the web
tier's relay โ€” that reachability is the point. The patched overlay isolates it.

## Quick start

```bash
cp .env.example .env
docker compose up --build -d
```

Then browse to .

The critical exploit (the recovery sidecar) is **fully unauthenticated** โ€” you
do not need to log in to reach it. The seeded platform accounts below exist only
as grey-box vantage points for discovery (reading Splunk's own audit logs in
Search & Reporting). Hand participants the **analyst** account and let them
discover the rest.

### Seeded accounts

| Username | Password | Role | Notes |
|---|---|---|---|
| `admin` | `Str@ta-Admin-2026!` | **admin** | Full platform admin (Settings, Users, Data Inputs) |
| `j.okafor` | `Analyst!Winter24` | **analyst** | **Start here** โ€” read-only Search & Reporting console |
| `m.reyes` | `Operator#2311` | **operator** | Manages sources / cluster views |
| `svc_forwarder` | `fwd-3f9a1c77b204` | **operator** | Service account (HEC forwarder) |

> These credentials are **intentionally documented** โ€” this is a self-contained
> training lab, not a production system. The exercise does **not** require
> cracking or escalating any of them; the critical `pg-sidecar` recovery API is
> unauthenticated. Full operator notes live in
> [`docs/DEPLOYMENT.md`](docs/DEPLOYMENT.md).

## Objectives

There are **two flags to capture**. Both are `SPLUNK{...}` strings; their values
live in the lab and are revealed in the docs โ€” they are intentionally **not**
printed here so you can earn them.

1. **Flag 1 โ€” auth bypass + credential theft.** Reach the recovery API through
   the pre-session `__raw` relay, get past the sham `Basic` auth, and leak the
   internal Postgres credential from the sidecar's `.pgpass`.
2. **Flag 2 โ€” unauthenticated RCE as `splunk`.** Turn the sidecar's file-write
   and SQL-restore primitives into code execution on the scheduled
   modular-input script, then read the protected secret.

Do not skip ahead: [`docs/DISCOVERY_WALKTHROUGH.md`](docs/DISCOVERY_WALKTHROUGH.md)
is written to be discovered, not spoiled. A graduated hint ladder and the full
instructor solution exist for training staff but are kept out of this package
so the exercise stays a blind solve.

## Documentation

| Doc | Audience / purpose |
|---|---|
| [`docs/DISCOVERY_WALKTHROUGH.md`](docs/DISCOVERY_WALKTHROUGH.md) | Discovery-driven path from fingerprint to RCE |
| [`docs/ROOT_CAUSE.md`](docs/ROOT_CAUSE.md) | Why it's vulnerable (CWE-306) and how the patch fixes it |
| [`docs/ARCHITECTURE.md`](docs/ARCHITECTURE.md) | Services, networks, the `__raw` relay, and data flow |
| [`docs/DETECTION.md`](docs/DETECTION.md) | Blue-team detection opportunities and signatures |
| [`docs/PLAYER_GUIDE.md`](docs/PLAYER_GUIDE.md) | Participant briefing and scope |
| `docs/HINTS.md` | Graduated hint ladder โ€” **kept internal, not included in this package** |
| `docs/INSTRUCTOR_GUIDE.md` | **Training staff only** โ€” full solution + flags, **kept internal, not included** |
| [`docs/DEPLOYMENT.md`](docs/DEPLOYMENT.md) | Stand up, operate, and tear down the environment |

## Remediation

The `patched/` tree mirrors Splunk's real fix (10.2.4) plus the advisory's
workaround, layered as defense in depth: real credential validation on the
recovery routes, `backupFile` path-traversal sanitization, elimination of the
libpq connection-string injection, a non-superuser restore role, dropping the
pre-auth `__raw` relay, and network isolation of the sidecar. See
[`patched/PATCH_NOTES.md`](patched/PATCH_NOTES.md).

Bring up the hardened build with the overlay:

```bash
docker compose -f docker-compose.yml -f patched/deploy/compose.override.hardened.yml up --build -d
```

### Workaround (no patch)

Mirroring the advisory's mitigation, you can disable the recovery sidecar
entirely without patching โ€” the analog of setting `[postgres] disabled = true`
in `server.conf`. Set the following in your `.env` and recreate the stack:

```bash
PG_SIDECAR_DISABLED=true
```

With the sidecar disabled, the `recovery/*` functions are gone and the chain is
broken at the source.

---

> **Training material.** This lab is an authorized, self-contained reproduction
> that **models** Splunk Enterprise CVE-2026-20253 for defensive education. It
> does not contain Splunk's proprietary source or binaries; the services here
> are an independent re-implementation of the *documented* vulnerable behavior.
> Use only against this lab. Running these techniques against systems you do not
> own is illegal.

## References

- Splunk Security Advisory โ€” **SVD-2026-0603** โ€” 
- NVD โ€” **CVE-2026-20253** โ€” 
- Picus Security โ€” technical write-up of the Splunk recovery-sidecar RCE
- Orca Security โ€” analysis of the PostgreSQL sidecar missing-authentication flaw
- The Hacker News โ€” coverage of the critical Splunk Enterprise vulnerability
- Help Net Security โ€” advisory summary and remediation guidance
- BleepingComputer โ€” reporting on CVE-2026-20253