CrowdStrike fixed a critical vulnerability in LogScale that let unauthenticated attackers read arbitrary files from the server filesystem. CVE-2026-40050 carries a CVSS score of 9.8 and requires no credentials to exploit, an attacker who can reach the vulnerable cluster API endpoint can traverse directory paths and access sensitive files stored on the host.
The flaw affects LogScale Self-Hosted GA versions 1.224.0 through 1.234.0 and LTS versions 1.228.0 and 1.228.1. CrowdStrike published patches on 21 April 2026. The company has confirmed no evidence of exploitation exists after a review of all log data.
LogScale is a log management platform designed to collect and analyse large volumes of machine data in real time. In security operations centres, that data often includes authentication tokens, system events, internal network structures and incident response traces. A successful path traversal attack could expose all of it to an external attacker.
The Vulnerability Sits in an Unauthenticated Endpoint
According to CrowdStrike’s advisory, the vulnerability exists in a specific cluster API endpoint within LogScale’s Self-Hosted architecture. The endpoint lacks authentication controls and performs inadequate input validation, allowing attackers to craft directory traversal requests that bypass file access restrictions.
The company’s description is frustratingly thin on technical detail which is typical for vulnerabilities affecting security products. CrowdStrike identified this internally through continuous product testing rather than through external reporting or observed attacks, and they are clearly reluctant to publish specifics that could accelerate weaponisation.
What we do know, if the vulnerable API endpoint is exposed to the internet or an untrusted network, attackers can exploit it remotely without any credentials. The CVSS vector string shows the vulnerability requires no user interaction and has low attack complexity, making it straightforward to exploit once the endpoint is identified.
SaaS Customers Are Protected, Self-Hosted Deployments Are Not
CrowdStrike deployed network-layer blocks across all LogScale SaaS clusters on 7 April 2026, effectively mitigating the risk for cloud customers before the vulnerability was publicly disclosed. Self-hosted customers received no such automatic protection and must apply patches manually.
According to SecurityWeek, CrowdStrike confirmed the patched builds introduce no performance impact on LogScale operations. The company has released fixed versions including 1.235.1, 1.234.1, 1.233.1, and LTS version 1.228.2 or later.
For organisations running self-hosted LogScale deployments, the remediation is straightforward: upgrade immediately. CrowdStrike’s advisory states that LogScale Self-hosted customers should upgrade to a patched version immediately to remediate the vulnerability. The urgency is warranted given the critical CVSS score and the fact that no authentication is required to exploit the flaw.
What Self-Hosted Customers Should Do Today
Apply the patches CrowdStrike released on 21 April. If you cannot patch immediately, restrict network access to the LogScale cluster API endpoint through firewall rules or VPN requirements. The endpoint should not be exposed to public-facing networks under any circumstances.
Review access logs for unusual API calls that might indicate attempted exploitation. According to The420.in, organisations should check for suspicious file access patterns and validate whether any unauthorised data exposure has occurred. However, CrowdStrike’s review of all log data found no evidence of exploitation, so legitimate concerns about active attacks appear minimal at this stage.
CVE-2026-40050 is not yet on CISA’s Known Exploited Vulnerabilities list, and the EPSS score remains low at 0.00265, suggesting limited weaponisation so far. That could change quickly once technical details circulate more widely.
References
- CrowdStrike Security Advisory CVE-2026-40050
- CVE-2026-40050 Detail – NIST NVD
- SecurityWeek: Vulnerabilities Patched in CrowdStrike, Tenable Products
- CyberSecurity News: CrowdStrike LogScale Vulnerability Analysis
- The420.in: Unauthenticated File Access Flaw Analysis
Related News
CrowdStrike LogScale Critical Path Traversal Flaw Exposes Files to Unauthenticated Attackers
CrowdStrike has disclosed a critical vulnerability, tracked as CVE-2026-40050, affecting its LogScale self-hosted product. The flaw enables unauthenticated path traversal, which could allow a remote…
April 27, 2026 CrowdStrike Patches Critical LogScale Vulnerability Exposing Server Files Without Authentication
CrowdStrike disclosed a critical unauthenticated path-traversal vulnerability in its LogScale platform on 21 April 2026. CVE-2026-40050 carries a CVSS v3.1 score of 9.8 and was…
April 27, 2026 
