CrowdStrike LogScale CVE-2026-40050: Unauthenticated Path Traversal Reads Arbitrary Server Files

CrowdStrike has disclosed CVE-2026-40050, an unauthenticated path traversal in the LogScale cluster API that lets a remote attacker read arbitrary files from any exposed self-hosted node. The flaw carries a CVSS v3.1 score of 9.8 and affects a log management platform that, by design, sits in the middle of an organization’s security telemetry pipeline — making the blast radius for any successful exfiltration significantly worse than the average file-read bug.

What Happened

LogScale (formerly Humio) is CrowdStrike’s high-throughput log search and SIEM-adjacent platform. The vulnerability lives in a specific cluster API endpoint that performs insufficient input validation on a path parameter. A remote attacker can craft a request that traverses out of the intended directory and reads files anywhere the LogScale process has filesystem access — configuration, secrets, ingestion buffers, even the underlying log store.

No authentication is required. No specific cluster role is required. If the endpoint is reachable from the attacker, the file read works.

CrowdStrike says the bug was found internally through routine product testing, not by an external researcher or in-the-wild incident response, and there is currently no indication of active exploitation. SaaS LogScale customers were protected on April 7, 2026 when CrowdStrike deployed network-layer blocks across all hosted clusters. The disclosure window is therefore primarily a self-hosted problem.

Affected Versions

• LogScale Self-Hosted GA: 1.224.0 through 1.234.0 (inclusive)
• LogScale Self-Hosted LTS: 1.228.0 and 1.228.1

CrowdStrike Falcon Next-Gen SIEM customers are not affected — the vulnerable endpoint is not exposed in that product line.

Fixed Releases

Patched builds are available on multiple branches so operators do not have to take a major version jump:

• 1.235.1 or later (current GA)
• 1.234.1 or later
• 1.233.1 or later
• 1.228.2 LTS or later

Why This Matters For Infrastructure Teams

A LogScale cluster reads everything. Authentication credentials, application logs, audit trails from cloud control planes, Kubernetes API server logs, network flow records — if it is being shipped for retention, it is on disk somewhere on those nodes. An unauthenticated arbitrary file read against that surface is, effectively, an unauthenticated read against your security data lake.

Worse, LogScale nodes are frequently configured with service-account credentials for object storage backends (S3, GCS, Azure Blob) used to tier cold data. A successful file read that returns one of those credential files extends the impact from “reads files on this host” to “reads the entire archive.”

Two operational details make this more uncomfortable than a typical CVSS 9.8:

1. Many LogScale clusters were originally deployed with the cluster API exposed on internal networks but reachable from a wide swath of the corporate environment, because that is where the operators wanted to query metrics and run health checks from. Lateral movement to the cluster API is therefore not a meaningful filter for most threat models.
2. LogScale nodes typically run with read access to TLS material so they can serve HTTPS to ingest agents. A file read can return the private key.

What To Do Right Now

If you run self-hosted LogScale:

1. Upgrade. Pick the patched build on whichever branch you are tracking — 1.235.1, 1.234.1, 1.233.1, or 1.228.2 LTS. The patches are minor and do not require a major version migration.
2. Until the upgrade lands, restrict network access to the cluster API endpoints to a known administrative subnet. The API should not be reachable from generic application networks. CrowdStrike’s SaaS-side mitigation was a network-layer block — operators can replicate that with firewall or service mesh policy.
3. Treat any TLS keys, object storage credentials, or LDAP bind passwords stored on or readable by LogScale nodes as potentially compromised if your cluster API was internet-exposed prior to patching, and rotate. Even though there is no public evidence of exploitation, the cost of rotation is small relative to the disclosure surface.
4. Review access logs for the cluster API endpoint going back to the earliest vulnerable version you have run. The traversal pattern is recognizable in URL paths and should be straightforward to grep for once you have the indicator format from CrowdStrike’s advisory.

References

• CVE-2026-40050 — NVD
• CrowdStrike LogScale Vulnerability Allows Remote Attackers to Read Arbitrary Files — Cybersecurity News
• Critical bug in CrowdStrike LogScale lets attackers access files — Security Affairs
• Find impacted LogScale assets — runZero
• Critical Path Traversal Vulnerability in CrowdStrike LogScale — CSIRT-CY