CVE-2026-20253 Grants Unauthenticated RCE in Splunk Enterprise 10.0-10.2 via Unprotected Postgres Sidecar Endpoints

Splunk disclosed the flaw after watchTowr Labs published exploit details showing how an attacker-controlled PostgreSQL instance can be backed up into an arbitrary path on the target, then restored with a crafted .pgpass file that triggers lo_export to write a malicious Python script executed by the Splunk process. The endpoints lack any authentication because they were intended only for internal sidecar operations. Splunk Cloud is unaffected because it does not deploy the Postgres sidecar architecture used in on-premises Enterprise deployments. The technical evidence consists of the vendor advisory, the watchTowr write-up, and the public availability of the two recovery endpoints in the 10.x series. No independent telemetry has yet confirmed in-the-wild exploitation, but the primitive is trivial to weaponize once the endpoints are reachable. This pattern—security tooling exposing high-privilege internal services without network controls—matches earlier incidents in which monitoring platforms became initial access vectors. Core security infrastructure that itself lacks basic authentication expands the blast radius of any compromise. Organizations that centralized log aggregation and SOAR functions in Splunk now face the possibility that a single unauthenticated request can achieve code execution on the platform responsible for detecting such activity. Procurement and configuration records show most large deployments still run versions below the fixed releases. Patching to 10.0.7 or 10.2.4 must be treated as an emergency change. Network segmentation of the Splunk management plane and removal of unnecessary sidecar services should be validated against current contract and deployment documentation within 30 days.