Splunk Enterprise PostgreSQL Recovery Endpoint Injection Artifacts

Last updated 17 days ago on 2026-06-15
Created 17 days ago on 2026-06-15

About

Detects CVE-2026-20253 exploit artifacts against the Splunk Enterprise PostgreSQL sidecar recovery endpoints via complementary signals. Where endpoint or Network Packet Capture request-body logging is available, the rule matches PostgreSQL connection-string injection keywords, suspicious `backupFile` destinations, and known filesystem artifacts used to pivot from backup/restore primitives to file write or RCE. It also detects vulnerable recovery endpoint probing and empty-password Basic auth credentials observed in public exploit tooling.
Tags
Domain: NetworkUse Case: Threat DetectionUse Case: VulnerabilityUse Case: Network Security MonitoringTactic: Initial AccessData Source: AzureData Source: Elastic DefendData Source: GCPData Source: Google Cloud PlatformData Source: Network Packet CaptureData Source: Network TrafficData Source: ZeekData Source: SuricataLanguage: kuery
Severity
high
Risk Score
73
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

False Positive Examples
Authorized red-team or penetration testing tooling exercising the CVE-2026-20253 exploit chain. Legitimate Splunk user activity should not produce PostgreSQL connection-string keywords, suspicious filesystem targets, empty Basic auth credentials, or unauthenticated 400 responses on the recovery endpoints.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
Query (Kibana Query Language)
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-endpoint.events.network*logs-network_traffic.http*logs-zeek.http*logs-suricata.eve*logs-azure.application_gateway*logs-gcp.loadbalancing_logs*
Related Integrations

endpoint(external, opens in a new tab or window)

network_traffic(external, opens in a new tab or window)

zeek(external, opens in a new tab or window)

suricata(external, opens in a new tab or window)

azure(external, opens in a new tab or window)

gcp(external, opens in a new tab or window)

Query
text code block:
http.request.method:POST and url.path:("*splunkd/__raw/v1/postgres/recovery/*" or "/v1/postgres/recovery/*") and ( http.request.body.content:( "*\"backupFile\"*../*" or "*\"backupFile\"*/dev/shm/*" or "*\"backupFile\"*/etc/cron*" or "*\"backupFile\"*/home/*/.ssh/*" or "*\"backupFile\"*/opt/splunk/bin/scripts/*" or "*\"backupFile\"*/opt/splunk/etc/apps/*" or "*\"backupFile\"*/root/*" or "*\"backupFile\"*/tmp/*" or "*\"backupFile\"*/var/tmp/*" or "*\"backupFile\"*authorized_keys*" or "*\"database\"*dbname=*" or "*\"database\"*host=*" or "*\"database\"*hostaddr=*" or "*\"database\"*passfile=*" or "*\"database\"*password=*" or "*\"database\"*port=*" or "*\"database\"*service=*" or "*\"database\"*sslmode=*" or "*\"database\"*user=*" or "*/opt/splunk/etc/apps/*" or "*/opt/splunk/var/packages/data/postgres/.pgpass*" ) or data_stream.dataset:zeek.http and url.password:"" or data_stream.dataset:(azure.application_gateway or gcp.loadbalancing_logs or network_traffic.http or suricata.eve or zeek.http) and url.path:( "*splunkd/__raw/v1/postgres/recovery/backup" or "*splunkd/__raw/v1/postgres/recovery/restore" or /v1/postgres/recovery/backup or /v1/postgres/recovery/restore ) and http.response.status_code:400 )

Install detection rules in Elastic Security

Detect Splunk Enterprise PostgreSQL Recovery Endpoint Injection Artifacts in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).