CVE-2026-44981 in CrowdSecinfo

Summary

by MITRE • 07/16/2026

CrowdSec offers crowdsourced protection against malicious IPs. From 1.7.0 until 1.7.8, the LAPI router used gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, causing /v1/watchers and /v1/watchers/login to decompress unauthenticated gzip-compressed JSON request bodies without enforcing a maximum decompressed size and allowing excessive heap allocation that can make LAPI unreachable. This issue is fixed in version 1.7.8.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability identified in CrowdSec's LAPI router affects versions 1.7.0 through 1.7.8 and stems from improper handling of gzip-compressed request bodies within the gin-contrib/gzip middleware. This flaw specifically impacts the /v1/watchers and /v1/watchers/login endpoints where the DefaultDecompressHandle function is configured globally in the controller implementation. The security issue arises because the decompression process lacks enforcement of maximum decompressed size limits, creating a potential for excessive heap allocation that can render the LAPI service unreachable.

The technical exploitation of this vulnerability occurs through crafted gzip-compressed JSON payloads sent to the affected endpoints. When these requests are processed, the gin-contrib/gzip middleware automatically decompresses the content without applying size restrictions to the decompressed data. This behavior creates a decompression bomb scenario where attackers can send small compressed payloads that expand to enormous uncompressed sizes, consuming excessive memory resources and potentially causing denial of service conditions. The vulnerability represents a classic case of insufficient resource limitation in input processing, which aligns with CWE-400 - Uncontrolled Resource Consumption and CWE-129 - Improper Validation of Array Index.

The operational impact of this vulnerability extends beyond simple denial of service to potentially compromise the entire LAPI service availability. Attackers can systematically consume heap memory resources through repeated requests with large compressed payloads, eventually leading to service unavailability for legitimate users. This issue particularly affects the authentication and watcher endpoints that are critical for CrowdSec's distributed threat intelligence sharing mechanisms, making it especially dangerous in environments where these services are frequently accessed. The vulnerability demonstrates poor input validation practices and inadequate resource management in API request handling processes.

Mitigation strategies should focus on implementing explicit size limits for decompressed content within the gin-contrib/gzip middleware configuration or by replacing the global DefaultDecompressHandle with a custom implementation that enforces maximum decompressed size constraints. Organizations should upgrade to CrowdSec version 1.7.8 or later where this vulnerability has been addressed through proper resource limiting controls. Additional defensive measures include implementing rate limiting and request size monitoring for affected endpoints, as well as configuring application-level memory limits to prevent excessive heap allocation. The fix aligns with ATT&CK technique T1499.004 - Endpoint Denial of Service by ensuring that decompression operations are properly bounded and monitored to prevent resource exhaustion attacks.

Responsible

GitHub M

Reservation

05/08/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!