Critical Unauthenticated Path Traversal in CrowdStrike LogScale

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severitypath-traversalcwe-22cwe-306
Critical Unauthenticated Path Traversal in CrowdStrike LogScale

The National Vulnerability Database has detailed a critical path traversal vulnerability, CVE-2026-40050, affecting specific self-hosted versions of CrowdStrike’s LogScale. This flaw allows unauthenticated remote attackers to read arbitrary files from the server filesystem by exploiting a specific cluster API endpoint. The CVSS score of 9.8 highlights the severity, indicating a high potential for exploitation.

While LogScale SaaS customers and Next-Gen SIEM users are unaffected, self-hosted LogScale deployments are at significant risk if this API endpoint is exposed. CrowdStrike has deployed network-level mitigations for SaaS customers and confirmed no evidence of exploitation in their environments. However, organizations running self-hosted LogScale must prioritize upgrading to a patched version immediately to close this critical security gap.

What This Means For You

  • If your organization self-hosts CrowdStrike LogScale, you must upgrade to a patched version immediately. Confirm that the affected cluster API endpoint is not exposed to the internet. Audit access logs for any suspicious file read attempts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1083 File and Directory Discovery Discovery

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

Unauthenticated Path Traversal in LogScale Cluster API — CVE-2026-40050

Sigma YAML — free preview
✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Export via Bot →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40050 Path Traversal CrowdStrike LogScale
CVE-2026-40050 Path Traversal unauthenticated access to cluster API endpoint
CVE-2026-40050 Information Disclosure read arbitrary files from server filesystem

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 21, 2026 at 20:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

CVE-2026-41194 — FreeScout is a free self-hosted help desk and shared

CVE-2026-41194 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET...

vulnerabilityCVEmedium-severitycwe-352
/SCW Vulnerability Desk /MEDIUM /5.4 /⚑ 2 IOCs /⚙ 3 Sigma

FreeScout Vulnerability: Unrestricted File Write via ZIP Upload

CVE-2026-41193 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating...

vulnerabilityCVEcriticalhigh-severitycwe-22
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 3 Sigma

FreeScout Attachment Flaw Allows Data Deletion

CVE-2026-41192 — FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 3 IOCs /⚙ 3 Sigma