Denial of Service through coldToFrozen.sh Script in Splunk Enterprise
Advisory ID: SVD-2026-0504
CVE ID: CVE-2026-20240
Published: 2026-05-20
Last Update: 2026-05-20
CVSSv3.1 Score: 7.1, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-20
Bug ID: VULN-60037
Description
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause a Denial of Service by exploiting the coldToFrozen.sh script in the splunk_archiver app to rename critical Splunk directories, making the instance non-functional.
The Denial of Service is possible because of missing input validation in the coldToFrozen.sh script, which accepts arbitrary file paths and renames them without restricting operations to safe directories.
See Set a retirement and archiving policy and About role-based user access in the Splunk documentation for more information.
Solution
Upgrade Splunk Enterprise to versions 10.2.2, 10.0.5, 9.4.11, 9.3.12, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.4 | Splunk Archiver | Not affected | N/A |
| Splunk Enterprise | 10.2 | Splunk Archiver | 10.2.0 to 10.2.1 | 10.2.2 |
| Splunk Enterprise | 10.0 | Splunk Archiver | 10.0.0 to 10.0.4 | 10.0.5 |
| Splunk Enterprise | 9.4 | Splunk Archiver | 9.4.0 to 9.4.10 | 9.4.11 |
| Splunk Enterprise | 9.3 | Splunk Archiver | 9.3.0 to 9.3.11 | 9.3.12 |
| Splunk Cloud Platform | 10.4.2603 | Splunk Archiver | Below 10.4.2603.1 | 10.4.2603.1 |
| Splunk Cloud Platform | 10.3.2512 | Splunk Archiver | Below 10.3.2512.9 | 10.3.2512.9 |
| Splunk Cloud Platform | 10.2.2510 | Splunk Archiver | Below 10.2.2510.11 | 10.2.2510.11 |
| Splunk Cloud Platform | 10.1.2507 | Splunk Archiver | Below 10.1.2507.21 | 10.1.2507.21 |
| Splunk Cloud Platform | 10.0.2503 | Splunk Archiver | Below 10.0.2503.13 | 10.0.2503.13 |
| Splunk Cloud Platform | 9.3.2411 | Splunk Archiver | Below 9.3.2411.129 | 9.3.2411.129 |
Mitigations and Workarounds
Turn off the Splunk Archiver app. See Manage app and add-on objects in the Splunk documentation.
Note: If you use frozen bucket archiving with the splunk_archiver app, turning off the app will stop automated cold-to-frozen bucket transitions.
Detections
None
Severity
Splunk rates this vulnerability a 7.1, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H.
If you do not use the Splunk Archiver app, there should be no impact and the severity would be Informational.
Acknowledgments
Alex Hordijk (hordalex)