CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Files (CVSS 9.8)

CrowdStrike has disclosed CVE-2026-40050, a critical unauthenticated path-traversal vulnerability in its LogScale log management and SIEM platform that lets a remote, unauthenticated attacker read arbitrary files from the underlying server’s filesystem. The flaw carries a CVSS v3.1 score of 9.8 (Critical) and affects self-hosted deployments. SaaS tenants were silently mitigated weeks ago; on-prem operators are the ones who now have to move.

What happened

The vulnerability resides in a specific cluster API endpoint within LogScale that, when exposed, accepts crafted requests that escape the intended directory boundary. Improper input validation in the request handler lets an attacker traverse the directory structure and read files the LogScale process can read — without authentication, without any token, without any prior foothold. CrowdStrike says the bug was discovered internally through its product testing program rather than reported by an external researcher or observed in real-world attacks.

In a SIEM box, “files the LogScale process can read” is an alarming superset. That includes log indices full of credentials and PII captured from monitored assets, configuration files holding integration tokens for cloud and identity providers, and frequently the private TLS material the cluster uses for its own API. A path-traversal arbitrary-read on a security tool is a one-shot disclosure of the secrets the security tool was supposed to be protecting.

Affected versions

• LogScale Self-Hosted GA: 1.224.0 through 1.234.0 inclusive
• LogScale Self-Hosted LTS: 1.228.0 and 1.228.1

Fixed builds are 1.235.1, 1.234.1, 1.233.1 on the GA train, and 1.228.2 on LTS. Anything older than 1.224.0 is not in the disclosed range, but if you are running a version that old you have other problems.

LogScale SaaS customers are not on the patch hook. CrowdStrike deployed network-layer blocks across all SaaS clusters on April 7, 2026, before the public disclosure, so the attack surface has been gated at the infrastructure boundary for several weeks.

Impact

The vulnerability is unauthenticated, network-reachable on the cluster API, and arbitrary-read. There is no user interaction, no privilege requirement, no second step — a single HTTP request returns file contents. CrowdStrike has not observed exploitation in the wild, but with disclosure now public and a CVSS of 9.8, that grace period is brief. Path-traversal bugs are weaponized fast: the proof-of-concept is a URL.

The realistic blast radius for an exploited LogScale node:

• Ingest secrets — API keys for forwarders (Falcon sensors, syslog relays, cloud audit pipelines) sit in config and on disk in plaintext or near-plaintext.
• Query history — saved searches and dashboards can leak the structure and content of what defenders are watching, which is a roadmap for the attacker.
• Identity material — TLS keys for the cluster, OIDC client secrets, LDAP bind passwords, all candidates for arbitrary-read.
• Lateral movement — once the cluster’s own credentials leak, the attacker pivots from a single read to authenticated abuse of every system LogScale ingests from.

For organizations using LogScale as the system of record for incident response, that is roughly the worst possible disclosure surface.

Mitigation

Patch is the answer. Move to a fixed version on whichever train you run:

1. GA: upgrade to 1.235.1, 1.234.1, or 1.233.1.
2. LTS: upgrade to 1.228.2 or later.
3. Network: until you patch, restrict the cluster API endpoint to known administrative networks. Do not leave it on a public ingress.
4. Audit: assume the bug was reachable for the period your version was vulnerable. Rotate any credentials or keys whose plaintext lived on the LogScale node — ingest tokens, integration secrets, TLS keys.
5. Monitor: look for unauthenticated requests to the cluster API endpoint, especially with .. sequences, encoded traversal, or unusual paths. LogScale itself can hunt for this in its access logs once you are on a patched build.

Why this one matters

LogScale is in the trust boundary of the security team. When the box that holds every other team’s logs and credentials is the one with an unauthenticated arbitrary-read, the patch window matters more than usual — and “no observed exploitation” is a claim with a half-life measured in days after disclosure.

References

• The Hacker News — CISA Adds 6 Known Exploited Flaws
• CyberSecurityNews — CrowdStrike LogScale arbitrary file read
• Network Security Magazine — CVE-2026-40050 analysis
• runZero — finding impacted assets
• CSIRT-CY advisory
• SecurityWeek — Vulnerabilities patched in CrowdStrike, Tenable products