Unauthenticated arbitrary file creation/truncation in Splunk Enterprise PostgreSQL Sidecar Service

Repository is a small standalone Python PoC for CVE-2026-20253 against Splunk Enterprise. It contains one primary code file (splunk_cve_2026_20253.py), dependency metadata (requirements.txt), and several Spanish-language documentation files covering installation, execution examples, detection/mitigation, contribution guidance, and security policy. The exploit script uses requests and disables TLS verification warnings. Its core logic defines a SplunkExploit class with methods to: (1) test unauthenticated access to the Splunk recovery backup endpoint using a POST request with JSON and an empty Basic Authorization header; (2) abuse the backup endpoint to create or truncate arbitrary files by supplying attacker-controlled backupFile paths; and (3) attempt RCE by preparing a Python payload that runs a shell command via /bin/sh -c and writes output to a chosen file. The script references the full attack chain involving PostgreSQL backup/restore primitives and a controlled PostgreSQL server, but the included code is explicitly described as a simplified demonstration that overwrites a Splunk Secure Gateway Python script path to achieve execution. In main(), it supports vulnerability checking, cleanup, arbitrary file creation as a proof step, command execution, and optional retrieval of output from a web-accessible Splunk static directory. Overall, this is a real exploit PoC rather than a detector-only script; however, based on the provided content it appears partially simplified/truncated relative to a full end-to-end weaponized chain, so OPERATIONAL is the best fit.