CVE-2026-20240

Vulnerability

A missing input validation flaw exists in the coldToFrozen.sh script of the splunk_archiver app in Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129 [1]. The script accepts arbitrary file paths and renames them without restricting operations to safe directories, allowing a low-privileged user to target critical Splunk directories [1]. No special role beyond default low-privileged access is required [1].

Exploitation

An attacker must be an authenticated Splunk user who does not hold the admin or power roles [1]. The attacker exploits the coldToFrozen.sh script by providing arbitrary file paths that point to critical Splunk directories [1]. The script then renames those directories without checking if the operation is safe, causing the instance to become non-functional [1].

Impact

Successful exploitation results in a denial of service (DoS) as critical directories are renamed, rendering the Splunk instance non-functional [1]. The attack does not require elevated privileges and has no confidentiality or integrity impact [1].

Mitigation

Splunk has released fixed versions: Splunk Enterprise 10.2.2, 10.0.5, 9.4.11, 9.3.12, and the corresponding Splunk Cloud Platform versions listed in the advisory [1]. A workaround is to disable the Splunk Archiver app entirely [1]. If frozen bucket archiving is required, the Splunk documentation should be consulted for safe configuration [1].