A severe vulnerability chain in Splunk Enterprise is letting unauthenticated attackers execute remote code, no login required. Tracked as CVE-2026-20253 with a CVSS score of 9.8, the flaw targets the PostgreSQL Sidecar Service introduced in Splunk Enterprise 10 and later.
The service is active by default on AWS deployments, making cloud installations immediately exposed. Researchers at watchTowr Labs found attackers can send crafted HTTP requests to internal API endpoints, manipulate file paths, inject malicious database connections, and ultimately overwrite Python scripts to run arbitrary commands.
Splunk has released a patch — AWS users should prioritize updating immediately.
Source: Cybersecurity News