CVE-2026-40050
Received Received - Intake
Unauthenticated Path Traversal in CrowdStrike LogScale Allows File Access

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: CrowdStrike Holdings, Inc.

Description
CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers. The vulnerability exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication. Next-Gen SIEM customers are not affected and do not need to take any action. CrowdStrike mitigated the vulnerability for LogScale SaaS customers by deploying network-layer blocks to all clusters on April 7, 2026. We have proactively reviewed all log data and there is no evidence of exploitation. LogScale Self-hosted customers should upgrade to a patched version immediately to remediate the vulnerability. CrowdStrike identified this vulnerability during continuous and ongoing product testing.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-05-07
AI Q&A
2026-04-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-40050
EUVD
EUVD-2026-24164
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
crowdstrike logscale 1.224.0
crowdstrike logscale 1.234.0
crowdstrike logscale From 1.235.1 (inc)
crowdstrike logscale From 1.234.1 (inc)
crowdstrike logscale From 1.233.1 (inc)
crowdstrike logscale From 1.228.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows unauthenticated remote attackers to read arbitrary files from the server filesystem, which could potentially expose sensitive data.

Such unauthorized data access could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

However, CrowdStrike has mitigated the vulnerability for SaaS customers and advises self-hosted customers to upgrade immediately, which helps reduce the risk of non-compliance.


Can you explain this vulnerability to me?

CVE-2026-40050 is a critical unauthenticated path traversal vulnerability in CrowdStrike LogScale, specifically affecting certain self-hosted versions. The flaw exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without any authentication.

This vulnerability is identified as CWE-306 (Missing Authentication for Critical Function) and CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal).


How can this vulnerability impact me? :

If the vulnerable LogScale self-hosted version is exposed, a remote attacker can exploit this vulnerability to read arbitrary files on the server without authentication.

This can lead to unauthorized disclosure of sensitive information stored on the server, potentially compromising confidentiality, integrity, and availability of data.

Next-Gen SIEM customers are not affected, and SaaS customers have been protected by network-layer blocks deployed by CrowdStrike.

Self-hosted customers must upgrade to patched versions immediately to remediate the vulnerability.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability exists in a specific cluster API endpoint of CrowdStrike LogScale self-hosted versions 1.224.0 through 1.234.0 inclusive, and LTS versions 1.228.0 and 1.228.1. Detection involves monitoring access to this exposed API endpoint for unauthorized or suspicious requests attempting path traversal.

CrowdStrike advises customers with self-hosted instances to follow normal monitoring procedures after upgrading, which implies reviewing logs for unusual file access patterns or requests targeting the vulnerable API endpoint.

Specific commands are not provided in the available resources, but typical detection steps could include using network monitoring tools or log analysis to identify requests with path traversal patterns (e.g., containing '../' sequences) targeting the cluster API endpoint.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation for customers hosting vulnerable versions of CrowdStrike LogScale is to upgrade to patched versions as soon as possible.

  • Upgrade to LogScale version 1.235.1 or later.
  • Alternatively, upgrade to version 1.234.1 or later.
  • Alternatively, upgrade to version 1.233.1 or later.
  • For LTS versions, upgrade to 1.228.2 or later.

Next-Gen SIEM customers are not affected and do not need to take any action.

CrowdStrike has already deployed network-layer blocks to all SaaS clusters to mitigate risk for SaaS customers.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart