CVE-2026-40050
Received Received - Intake
Unauthenticated Path Traversal in CrowdStrike LogScale Allows File Access

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: CrowdStrike Holdings, Inc.

Description
CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers. The vulnerability exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication. Next-Gen SIEM customers are not affected and do not need to take any action. CrowdStrike mitigated the vulnerability for LogScale SaaS customers by deploying network-layer blocks to all clusters on April 7, 2026. We have proactively reviewed all log data and there is no evidence of exploitation. LogScale Self-hosted customers should upgrade to a patched version immediately to remediate the vulnerability. CrowdStrike identified this vulnerability during continuous and ongoing product testing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40050
EUVD
EUVD-2026-24164
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
crowdstrike logscale 1.224.0
crowdstrike logscale 1.234.0
crowdstrike logscale From 1.235.1 (inc)
crowdstrike logscale From 1.234.1 (inc)
crowdstrike logscale From 1.233.1 (inc)
crowdstrike logscale From 1.228.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40050 is a critical unauthenticated path traversal vulnerability in CrowdStrike LogScale, specifically affecting certain self-hosted versions. The flaw exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without any authentication.

This vulnerability is identified as CWE-306 (Missing Authentication for Critical Function) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal).

Compliance Impact

The vulnerability allows unauthenticated remote attackers to read arbitrary files from the server filesystem, which could potentially expose sensitive data.

Such unauthorized data access could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

However, CrowdStrike has mitigated the vulnerability for SaaS customers and advises self-hosted customers to upgrade immediately, which helps reduce the risk of non-compliance.

Impact Analysis

If the vulnerable LogScale self-hosted version is exposed, a remote attacker can exploit this vulnerability to read arbitrary files on the server without authentication.

This can lead to unauthorized disclosure of sensitive information stored on the server, potentially compromising confidentiality, integrity, and availability of data.

Next-Gen SIEM customers are not affected, and SaaS customers have been protected by network-layer blocks deployed by CrowdStrike.

Self-hosted customers must upgrade to patched versions immediately to remediate the vulnerability.

Detection Guidance

This vulnerability exists in a specific cluster API endpoint of CrowdStrike LogScale self-hosted versions 1.224.0 through 1.234.0 inclusive, and LTS versions 1.228.0 and 1.228.1. Detection involves monitoring access to this exposed API endpoint for unauthorized or suspicious requests attempting path traversal.

CrowdStrike advises customers with self-hosted instances to follow normal monitoring procedures after upgrading, which implies reviewing logs for unusual file access patterns or requests targeting the vulnerable API endpoint.

Specific commands are not provided in the available resources, but typical detection steps could include using network monitoring tools or log analysis to identify requests with path traversal patterns (e.g., containing '../' sequences) targeting the cluster API endpoint.

Mitigation Strategies

Immediate mitigation for customers hosting vulnerable versions of CrowdStrike LogScale is to upgrade to patched versions as soon as possible.

  • Upgrade to LogScale version 1.235.1 or later.
  • Alternatively, upgrade to version 1.234.1 or later.
  • Alternatively, upgrade to version 1.233.1 or later.
  • For LTS versions, upgrade to 1.228.2 or later.

Next-Gen SIEM customers are not affected and do not need to take any action.

CrowdStrike has already deployed network-layer blocks to all SaaS clusters to mitigate risk for SaaS customers.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40050. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart