Critical bug in CrowdStrike LogScale let attackers access files

CrowdStrike fixed CVE-2026-40050 in LogScale self-hosted, a critical flaw allowing unauthenticated file access via path traversal.

CrowdStrike recently disclosed a critical vulnerability, tracked as CVE-2026-40050, affecting its LogScale self-hosted product. The flaw enables unauthenticated path traversal, which could allow a remote attacker to read arbitrary files from the server filesystem.

“CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers.” reads the advisory published by the cybersecurity firm. “The vulnerability exists in a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication.”

CrowdStrike LogScale is a log management and observability platform designed to help organizations collect, search, and analyze large volumes of machine data in real time.

It ingests logs from systems, applications, cloud services, and security tools, then makes them searchable almost instantly using a high-performance indexing architecture. This is particularly useful for security operations centers (SOCs), where fast investigation of alerts and incidents matters.

CrowdStrike confirmed that Next-Gen SIEM customers are not affected. LogScale SaaS users were protected on April 7, 2026 through network-layer mitigations applied across all clusters. The company is not aware of attacks exploiting this vulnerability. However, self-hosted LogScale customers must urgently upgrade to a patched version. The flaw was discovered internally through continuous product testing, highlighting proactive security monitoring.

Defensive platforms themselves are high-value targets.

Security tools like LogScale sit at a privileged position inside an organization’s infrastructure. Because of this central role, any weakness in these systems can have a disproportionate impact compared to vulnerabilities in ordinary applications. In this case, a path traversal flaw could potentially expose configuration files, credentials, or internal data that would otherwise remain protected.

Defensive software must be treated with the same rigor as the systems it protects. There is often an assumption that security products are inherently safer or more resilient because they are built for protection. In reality, they are equally susceptible to coding errors, design flaws, and configuration issues, sometimes with greater consequences when something goes wrong.

A vulnerability in a monitoring or detection platform can be especially dangerous because it can undermine visibility. Attackers who gain access to such systems may be able to disable alerts, suppress logs, or quietly observe security operations without being detected. In some cases, they may even use the platform itself as a stepping stone to escalate privileges or move laterally across networks.

This is why timely patching and proactive vulnerability management in defensive software is critical. Organizations often prioritize updates for operating systems, web applications, or exposed services, but security infrastructure should receive equal or higher priority. If the tools designed to detect threats are compromised, the entire security posture becomes unreliable.

The CrowdStrike case also reflects a positive aspect of modern security research: the fact that the issue was identified internally and responsibly disclosed. This suggests mature security practices and reduces the likelihood that attackers had early access to exploit the flaw.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2026-40050)