Splunk Enterprise versions below 10.2.4 and 10.0.7, and Splunk Cloud Platform versions below 10.4.2604.3 and 10.2.2510.14, expose a PostgreSQL sidecar service endpoint that entirely lacks authentication controls. An unauthenticated, network-reachable attacker can exploit this to create or truncate arbitrary files on the host system — with no credentials, no user interaction, and low attack complexity required (CVSS 9.8).
Successful exploitation could lead to data destruction, service disruption, or facilitate further compromise such as privilege escalation or remote code execution by overwriting sensitive files. Organizations running self-hosted Splunk Enterprise should prioritize upgrading to the patched versions immediately, and in the interim consider network-level controls to restrict access to the affected service port.

