Critical Vulnerability in CrowdStrike LogScale Exposes Servers to Unauthorized File Access
CrowdStrike has recently identified a critical security flaw in its LogScale platform, designated as CVE-2026-40050. This unauthenticated path-traversal vulnerability allows remote attackers to access arbitrary files on the server’s filesystem without requiring authentication.
Vulnerability Overview
The vulnerability resides in a specific cluster API endpoint within CrowdStrike LogScale. If this endpoint is exposed, a remote attacker can exploit it to traverse the server’s directory structure and access sensitive files without needing credentials. The flaw carries a CVSS v3.1 score of 9.8 (CRITICAL), reflecting the severe potential impact on confidentiality, integrity, and availability.
Two primary weaknesses contribute to this vulnerability:
– CWE-306: Missing Authentication for Critical Function
– CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
Affected Versions
The vulnerability affects the following versions of LogScale:
– Self-Hosted GA Versions: 1.224.0 through 1.234.0 (inclusive)
– Self-Hosted LTS Versions: 1.228.0 and 1.228.1
Notably, Next-Gen SIEM customers are not affected and require no action.
Mitigation Measures
CrowdStrike has taken swift action to address this vulnerability:
– For LogScale SaaS Customers: Network-layer blocks were deployed across all clusters on April 7, 2026, effectively mitigating the risk at the infrastructure level. A proactive review of all log data revealed no evidence of exploitation in the wild.
– For Self-Hosted LogScale Customers: It is imperative to upgrade immediately to one of the following patched versions:
– 1.235.1 or later
– 1.234.1 or later
– 1.233.1 or later
– 1.228.2 (LTS) or later
CrowdStrike has confirmed that these patched builds introduce no performance impact on LogScale operations.
Discovery and Monitoring
The vulnerability was discovered internally through CrowdStrike’s continuous product testing program, not reported via an external researcher or observed in a real-world attack. The company is actively monitoring LogScale SaaS environments for any signs of abuse or suspicious activity related to this flaw.
Recommendations
Organizations running self-hosted instances should follow standard incident response procedures to monitor for any signs of prior unauthorized access or file exfiltration. Ensuring that all systems are updated to the latest patched versions is crucial to maintaining security and operational integrity.
