Detections
Analytics
Splunk Enterprise < 10.0.7 / 10.2.x < 10.2.4 Remote Code Execution
critical Web App Scanning Plugin ID 115266
Synopsis
Splunk Enterprise < 10.0.7 / 10.2.x < 10.2.4 Remote Code ExecutionDescription
The detected Splunk Enterprise instance exposes an unauthenticated PostgreSQL sidecar service endpoint reachable through the splunkd __raw proxy. The endpoint lacks authentication controls, allowing any network-reachable, unauthenticated user to invoke file operations, which can be leveraged to achieve remote code execution. The scanner confirmed the vulnerability by interacting with the unprotected backend endpoint.Solution
Upgrade to Splunk Enterprise 10.0.7, 10.2.4, or later. As a mitigation, disable the PostgreSQL sidecar service. Refer to Splunk advisory SVD-2026-0603 for details.See Also
Plugin Details
Severity: Critical
ID: 115266
Type: Check Based
Family: Component Vulnerability
Published: 6/17/2026
Updated: 6/17/2026
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: Critical
Score: 9.0
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2026-20253
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2026-20253
Vulnerability Information
CPE: cpe:2.3:a:splunk:splunk:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 6/10/2026
Vulnerability Publication Date: 6/9/2026
Reference Information
CVE: CVE-2026-20253
CWE: 306
OWASP: 2010-A3, 2013-A2, 2013-A9, 2017-A2, 2017-A9, 2021-A6, 2021-A7, 2025-A6, 2025-A7
WASC: Insufficient Authentication
DISA STIG: APSC-DV-000460, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a), 164.312(e)
ISO: 27001-A.14.2.5, 27001-A.9.1.2, 27001-A.9.2.3, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-6(1), sp800_53-CM-6b
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-3.7.1
PCI-DSS: 3.2-6.2, 3.2-6.5.10