CrowdStrike LogScale Path Traversal Lets Attackers Read Any File

A critical vulnerability in CrowdStrike's LogScale logging platform allows remote attackers to read arbitrary files from affected servers without authentication. The flaw, tracked as CVE-2026-40050, carries a CVSS score of 9.8 and affects multiple versions of the self-hosted product.

CrowdStrike disclosed the vulnerability on April 23, 2026, after discovering it through internal security testing. The company has released patches and confirmed no evidence of exploitation in the wild.

How the Vulnerability Works

The path traversal vulnerability exists in a specific cluster API endpoint within LogScale. An attacker who can reach a vulnerable LogScale instance over the network can craft HTTP requests that traverse the server's directory structure, accessing sensitive files without needing to authenticate.

This type of flaw can expose configuration files, encryption keys, log data, and other sensitive information stored on the server. For organizations using LogScale to aggregate security telemetry, a breach could reveal critical infrastructure details or customer data.

The attack requires network access to the LogScale instance but no credentials or user interaction, making it particularly dangerous for internet-exposed deployments.

Affected Versions

CrowdStrike has confirmed these versions are vulnerable:

• LogScale Self-Hosted GA: Versions 1.224.0 through 1.234.0 (inclusive)
• LogScale Self-Hosted LTS: Versions 1.228.0 and 1.228.1

LogScale SaaS customers are not directly affected. CrowdStrike deployed network-layer mitigations across all SaaS clusters on April 7, 2026, blocking exploitation attempts before the public disclosure. Organizations using self-hosted deployments should review our guide on what constitutes a data breach to understand reporting obligations if sensitive files were accessed.

Patched Versions

Organizations running self-hosted LogScale deployments should upgrade immediately to one of these fixed releases:

1. Version 1.235.1 (latest GA)
2. Version 1.234.1
3. Version 1.233.1
4. Version 1.228.2 (LTS branch)

The vendor strongly recommends prioritizing the upgrade given the critical severity rating and the unauthenticated nature of the attack. For organizations tracking vulnerability trends, our hacking news section covers similar critical disclosures daily.

Why This Matters

LogScale, formerly known as Humio, handles high-volume log aggregation and analysis for security operations centers worldwide. A vulnerability that exposes arbitrary file contents could undermine the security of the very infrastructure organizations rely on for threat detection.

This isn't the first time security tooling has become a target. Similar path traversal and authentication bypass vulnerabilities have affected other SIEM and log management platforms in recent months, including the LMDeploy SSRF flaw that was exploited within hours of disclosure. Attackers increasingly focus on security infrastructure because compromising these systems provides visibility into an organization's defenses and often yields privileged access.

CrowdStrike's internal discovery and rapid patching before any known exploitation is a positive outcome, but organizations running self-hosted deployments need to act quickly. The detailed nature of the disclosure—specifying affected versions and the vulnerable endpoint—gives attackers a roadmap if they can identify unpatched instances.

Recommended Actions

1. Identify affected systems: Inventory all LogScale Self-Hosted deployments and check version numbers
2. Upgrade immediately: Apply patches to reach version 1.235.1, 1.234.1, 1.233.1, or 1.228.2 (LTS)
3. Review network exposure: Ensure LogScale instances are not directly accessible from the internet without additional authentication layers
4. Check access logs: Review API endpoint access patterns for unusual path traversal attempts
5. Monitor for IOCs: Watch for abnormal file access patterns or data exfiltration indicators

Organizations with questions about their exposure can consult CrowdStrike's security advisory or contact their CrowdStrike representative for additional guidance.