The vulnerability CVE-2026-20240 in Splunk Enterprise and Splunk Cloud Platform involves improper input validation in the coldToFrozen.sh script of the splunk_archiver app. This script accepts arbitrary file paths and renames them without restricting to safe directories, enabling a low-privileged user lacking admin or power roles to rename critical directories. Exploitation results in a Denial of Service by rendering the Splunk instance non-functional. Affected versions include Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and corresponding older versions of Splunk Cloud Platform. The CVSS 3.1 score is 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, but high impact on availability. No vendor advisory or patch information is provided, so remediation status is unknown.

Exploitation of this vulnerability allows a low-privileged user to cause a Denial of Service by renaming critical Splunk directories via the coldToFrozen.sh script. This makes the affected Splunk instance non-functional, impacting availability. There is no impact on confidentiality or integrity according to the CVSS vector. No known exploits in the wild have been reported at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the splunk_archiver app and the coldToFrozen.sh script to trusted users only, and monitor for any unauthorized attempts to execute this script. Avoid granting low-privileged users access to this functionality. Follow official Splunk advisories for updates.