CrowdStrike warns LogScale flaw lets remote attackers read files without logging in

CrowdStrike has disclosed a critical vulnerability in LogScale that can let a remote attacker read arbitrary files from the server without authentication. The flaw, tracked as CVE-2026-40050, affects specific self-hosted LogScale releases and carries a CVSS 3.1 score of 9.8.

The issue sits in a cluster API endpoint. If that endpoint is exposed, an attacker can abuse path traversal to move through directories and access files on the underlying server. CrowdStrike says the bug only requires action from customers running affected self-hosted versions. Next-Gen SIEM customers do not need to do anything.

BEST SPRING 2026 DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

For SaaS customers, CrowdStrike says it deployed network-layer blocks across all clusters on April 7, 2026. The company also says it reviewed all relevant log data and found no evidence of exploitation.

Who needs to act

The affected products are LogScale Self-Hosted GA versions 1.224.0 through 1.234.0, plus LogScale Self-Hosted LTS versions 1.228.0 and 1.228.1. If you run one of those builds on your own infrastructure, you need to patch it.

CrowdStrike says self-hosted customers should upgrade immediately to a fixed release. The patched branches listed in public references are 1.235.1 or later, 1.234.1 or later, 1.233.1 or later, and 1.228.2 LTS or later.

The vulnerability was identified during CrowdStrike’s own product testing, not through public reports of real-world abuse. That lowers the panic factor, but not the urgency. An unauthenticated file-read flaw on a logging platform can still expose sensitive configuration data, tokens, internal paths, and other information that helps attackers move deeper into an environment.

Why the bug matters

LogScale often sits close to valuable security and operations data. Even when a flaw does not immediately hand over code execution, arbitrary file access can reveal secrets that make follow-on attacks much easier.

The CVE record ties the issue to two weakness classes: missing authentication for a critical function and improper limitation of a pathname to a restricted directory. In plain terms, the vulnerable endpoint should not have trusted the request the way it did.

This also creates a split risk picture. SaaS and Next-Gen SIEM customers are already covered by CrowdStrike’s mitigations, but self-hosted users still carry the patching burden themselves. That makes inventory and version checking the first priority for defenders.

CVE-2026-40050 at a glance

What admins should do now

• Check whether any self-hosted LogScale instance runs GA versions 1.224.0 through 1.234.0 or LTS versions 1.228.0 and 1.228.1.
• Upgrade to a patched build as soon as possible. Public references list 1.235.1, 1.234.1, 1.233.1, and 1.228.2 LTS as fixed branches.
• Review whether the cluster API endpoint is reachable from the internet or exposed beyond trusted internal networks.
• Look for unusual requests and signs of unexpected file access in proxy, application, and host logs.
• Treat exposed self-hosted instances as high priority until patching and validation finish.

FAQ