A significant security vulnerability has been identified in Splunk Enterprise, enabling attackers to execute remote code without authentication. This flaw, tracked as CVE-2026-20253, holds a CVSS score of 9.8 and impacts Splunk Enterprise versions 10 and above. The vulnerability stems from the PostgreSQL Sidecar Service, which is a component in newer versions of Splunk. While it is not always active in on-premise setups, it is enabled by default in Splunk Enterprise deployments on AWS, making these environments particularly susceptible.

WatchTowr Labs discovered that the service meant to operate on localhost can be accessed externally through Splunk's main web interface. Attackers can exploit this by sending specific HTTP requests to internal API endpoints. The absence of authentication controls allows these requests to pass with any credentials, including none, letting attackers perform database operations without proper access.

Although initially thought to only allow file creation and truncation, the vulnerability can be exploited further. By injecting a PostgreSQL connection string into certain parameters, attackers can manipulate connection settings and cause Splunk to connect to a database under their control. This opens the door for malicious content to be written to the Splunk filesystem, facilitating arbitrary file writes. With these capabilities, attackers can overwrite legitimate scripts and execute harmful commands on the target system.

The flaw underscores the risks posed by internal services exposed through proxy mechanisms, particularly when authentication is inconsistently applied. Splunk has issued an advisory urging users to update to patched versions promptly. Organizations, especially those using Splunk on AWS, should take immediate steps to patch their systems. Additionally, monitoring internal API access, minimizing unnecessary exposure, and reviewing file integrity are crucial measures to mitigate risks. Detection tools are available to help identify vulnerabilities by assessing access-control mechanisms.

This case illustrates how minor issues, such as arbitrary file writes, can escalate into severe threats when combined with other system vulnerabilities and credential exposures.