Cyber Posture

CVE-2026-40050

Critical

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0032 54.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

CrowdStrike has released security updates to address a critical unauthenticated path traversal vulnerability (CVE-2026-40050) in LogScale. This vulnerability only requires mitigation by customers that host specific versions of LogScale and does not affect Next-Gen SIEM customers. The vulnerability exists in…

more

a specific cluster API endpoint that, if exposed, allows a remote attacker to read arbitrary files from the server filesystem without authentication. Next-Gen SIEM customers are not affected and do not need to take any action. CrowdStrike mitigated the vulnerability for LogScale SaaS customers by deploying network-layer blocks to all clusters on April 7, 2026. We have proactively reviewed all log data and there is no evidence of exploitation. LogScale Self-hosted customers should upgrade to a patched version immediately to remediate the vulnerability. CrowdStrike identified this vulnerability during continuous and ongoing product testing.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely remediation of flaws like this unauthenticated path traversal vulnerability through patching, as recommended by CrowdStrike for self-hosted LogScale.

SI-10 Information Input Validation good match
prevent

SI-10 mandates validation of inputs to the cluster API endpoint to block path traversal attacks that allow arbitrary file reads.

SC-7 Boundary Protection good match
prevent

SC-7 enforces boundary protection to block network access to the exposed vulnerable API endpoint, mirroring CrowdStrike's network-layer mitigation for SaaS.

Security SummaryAI

CVE-2026-40050 is a critical unauthenticated path traversal vulnerability (CWE-22, CWE-306) in CrowdStrike LogScale, affecting specific versions hosted by customers. The issue resides in a cluster API endpoint that, when exposed, enables unauthorized access. It does not impact Next-Gen SIEM customers or require action from them.

A remote attacker with network access to the exposed endpoint can exploit this vulnerability without authentication, privileges, or user interaction, achieving high confidentiality, integrity, and availability impacts as scored at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows reading arbitrary files from the server filesystem.

CrowdStrike's advisory recommends immediate upgrades to patched versions for LogScale self-hosted customers. For LogScale SaaS customers, the vendor deployed network-layer blocks across all clusters on April 7, 2026, mitigating the issue. Details are available at https://www.crowdstrike.com/en-us/security-advisories/cve-2026-40050/.

CrowdStrike discovered the vulnerability through ongoing product testing and, after proactive log review, found no evidence of real-world exploitation. The CVE was published on April 21, 2026.

Details

CWE(s)
CWE-22CWE-306

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Unauthenticated path traversal in exposed cluster API endpoint enables exploitation of public-facing application (T1190) and arbitrary file reads from local filesystem (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References