CVE-2026-44982 in crowdsec
Summary
by MITRE • 07/16/2026
CrowdSec offers crowdsourced protection against malicious IPs. From 1.5.0 until 1.7.8, pkg/appsec/request.go NewParsedRequestFromRequest allocated a request body buffer from max(r.ContentLength, 0), so HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests without a content-length header produced an empty body and caused WAF rules targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML to be skipped. This issue is fixed in version 1.7.8.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability resides in the CrowdSec application security module where improper handling of HTTP request bodies creates a significant bypass opportunity for malicious actors. This flaw affects versions between 1.5.0 and 1.7.8, specifically within the pkg/appsec/request.go file's NewParsedRequestFromRequest function. The core issue stems from how the system allocates memory for request body buffers using max(r.ContentLength, 0) which fails to properly account for different HTTP transfer encodings and protocol versions. When HTTP/1.1 requests employ Transfer-Encoding: chunked or HTTP/2 requests lack content-length headers, the buffer allocation results in zero-length buffers being created, effectively erasing the actual request payload data.
This technical flaw directly maps to CWE-129 and CWE-130 within the Common Weakness Enumeration framework, representing issues related to improper input validation and insufficient boundary checking. The vulnerability creates a critical operational gap where legitimate security rules designed to inspect request bodies become ineffective against crafted malicious requests. WAF rules targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML components all fail to function properly because the system cannot properly parse or examine the actual payload content. This allows attackers to bypass security controls that should normally detect and block malicious payloads, injection attacks, or other threats present in request bodies.
The impact of this vulnerability extends beyond simple rule bypassing as it fundamentally undermines the integrity of the application security layer. Attackers can exploit this weakness to deliver payloads that would normally be detected by security rules, potentially enabling data exfiltration, command injection, or other malicious activities. The issue affects both HTTP/1.1 and HTTP/2 protocols differently since chunked encoding and missing content-length headers are handled inconsistently across these protocol versions. This creates a complex attack surface where threat actors can craft requests that appear valid to the web server but bypass all application security controls designed to inspect request bodies.
Organizations deploying CrowdSec within their security infrastructure face significant risk exposure from this vulnerability, particularly those relying on body-based detection rules for protecting against common web application attacks. The fix implemented in version 1.7.8 addresses the core buffer allocation logic to properly handle different HTTP transfer encodings and protocol characteristics. Security teams should prioritize immediate deployment of version 1.7.8 or later to remediate this vulnerability, while also implementing monitoring for potential exploitation attempts that may have occurred during the vulnerable timeframe. The ATT&CK framework categorizes this issue under T1566 (Phishing) and T1071.004 (Application Layer Protocol: DNS) when combined with other attack vectors, as attackers may leverage such bypasses to establish persistent access or escalate privileges through undetected malicious payloads.