CVE-2026-40050
Received Received - Intake

Unauthenticated Path Traversal in CrowdStrike LogScale Allows File Access

Vulnerability report for CVE-2026-40050, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: CrowdStrike Holdings, Inc.

Description

CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers. The vulnerability exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication. Next-Gen SIEM customers are not affected and do not need to take any action. CrowdStrike mitigated the vulnerability for LogScale SaaS customers by deploying network-layer blocks to all clusters on April 7, 2026. We have proactively reviewed all log data and there is no evidence of exploitation. LogScale Self-hosted customers should upgrade to a patched version immediately to remediate the vulnerability. CrowdStrike identified this vulnerability during continuous and ongoing product testing.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-07-06
AI Q&A
2026-04-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
crowdstrike logscale 1.224.0
crowdstrike logscale 1.234.0
crowdstrike logscale From 1.235.1 (inc)
crowdstrike logscale From 1.234.1 (inc)
crowdstrike logscale From 1.233.1 (inc)
crowdstrike logscale From 1.228.2 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-40050 is a critical unauthenticated path traversal vulnerability in CrowdStrike LogScale, specifically affecting certain self-hosted versions. The flaw exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without any authentication.

This vulnerability is identified as CWE-306 (Missing Authentication for Critical Function) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal).

Impact Analysis

If the vulnerable LogScale self-hosted version is exposed, a remote attacker can exploit this vulnerability to read arbitrary files on the server without authentication.

This can lead to unauthorized disclosure of sensitive information stored on the server, potentially compromising confidentiality, integrity, and availability of data.

Next-Gen SIEM customers are not affected, and SaaS customers have been protected by network-layer blocks deployed by CrowdStrike.

Self-hosted customers must upgrade to patched versions immediately to remediate the vulnerability.

Detection Guidance

This vulnerability exists in a specific cluster API endpoint of CrowdStrike LogScale self-hosted versions 1.224.0 through 1.234.0 inclusive, and LTS versions 1.228.0 and 1.228.1. Detection involves monitoring access to this exposed API endpoint for unauthorized or suspicious requests attempting path traversal.

CrowdStrike advises customers with self-hosted instances to follow normal monitoring procedures after upgrading, which implies reviewing logs for unusual file access patterns or requests targeting the vulnerable API endpoint.

Specific commands are not provided in the available resources, but typical detection steps could include using network monitoring tools or log analysis to identify requests with path traversal patterns (e.g., containing '../' sequences) targeting the cluster API endpoint.

Mitigation Strategies

Immediate mitigation for customers hosting vulnerable versions of CrowdStrike LogScale is to upgrade to patched versions as soon as possible.

  • Upgrade to LogScale version 1.235.1 or later.
  • Alternatively, upgrade to version 1.234.1 or later.
  • Alternatively, upgrade to version 1.233.1 or later.
  • For LTS versions, upgrade to 1.228.2 or later.

Next-Gen SIEM customers are not affected and do not need to take any action.

CrowdStrike has already deployed network-layer blocks to all SaaS clusters to mitigate risk for SaaS customers.

Compliance Impact

The vulnerability allows unauthenticated remote attackers to read arbitrary files from the server filesystem, which could potentially expose sensitive data.

Such unauthorized data access could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

However, CrowdStrike has mitigated the vulnerability for SaaS customers and advises self-hosted customers to upgrade immediately, which helps reduce the risk of non-compliance.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40050. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart