Zero Day MonitorZDM

← Back to list

7.1

CVE-2026-20240PATCHED

Splunk · Splunk Enterprise

Denial of Service through coldToFrozen.sh Script in Splunk Enterprise

Description

In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129, a low-privileged user that does not hold the ‘admin’ or ‘power’ Splunk roles could cause a Denial of Service by exploiting the `coldToFrozen.sh` script in the `splunk_archiver` app to rename critical Splunk directories, making the instance non-functional.<br><br>The Denial of Service is possible because of missing input validation in the `coldToFrozen.sh` script, which accepts arbitrary file paths and renames them without restricting operations to safe directories.

Affected Products

Vendor	Product	Versions
Splunk	Splunk Enterprise	10.2, 10.0, 9.4, 9.3, 10.4.2603, 10.3.2512, 10.2.2510, 10.1.2507, 10.0.2503, 9.3.2411

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
splunk	splunk cloud	mitre_affected	90%

References

https://advisory.splunk.com/advisories/SVD-2026-0504

Related News (1 articles)

Tier C

VulDB2h ago

CVE-2026-20240 | Splunk Enterprise/Cloud Platform splunk_archiver App coldToFrozen.sh denial of service (SVD-2026-0504)

→ No new info (linked only)

CVSS 3.17.1 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

10.2.210.0.59.4.119.3.1210.4.2603.110.3.2512.910.2.2510.1110.1.2507.2110.0.2503.139.3.2411.129

CWECWE-20

PublishedMay 20, 2026

Last enriched1h ago

Trending Score27

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-20239

Sensitive Information Disclosure through Log Files in Splunk Enterprise

CRITICALPRE-CVE

Multiple vulnerabilities in Splunk products requiring critical updates

MEDIUMCVE-2026-20238

Improper Access Control through Role Inheritance in Splunk AI Toolkit app

HIGHCVE-2026-20204EXP

Improper Handling and Insufficient Isolation of Specific Temporary Files in Splunk Enterprise

HIGHCVE-2026-20205EXP

Sensitive Information Disclosure in ''_internal'' index in Splunk MCP Server app

Pin to Dashboard

Verification

State: verified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 20, 2026

Discovered by ZDM

May 20, 2026

Patch Available

May 20, 2026