CVE-2026-44981
Received Received - Intake

Heap Exhaustion via Unlimited Gzip Decompression in CrowdSec

Vulnerability report for CVE-2026-44981, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

CrowdSec offers crowdsourced protection against malicious IPs. From 1.7.0 until 1.7.8, the LAPI router used gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, causing /v1/watchers and /v1/watchers/login to decompress unauthenticated gzip-compressed JSON request bodies without enforcing a maximum decompressed size and allowing excessive heap allocation that can make LAPI unreachable. This issue is fixed in version 1.7.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
crowdsecurity crowdsec 1.7.0
crowdsecurity crowdsec to 1.7.8 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44981 is a Denial of Service vulnerability in CrowdSec's Local API (LAPI) versions 1.7.0 to 1.7.8. It occurs because the LAPI router uses gzip decompression without enforcing a maximum size on unauthenticated endpoints /v1/watchers and /v1/watchers/login. Attackers can send small gzip-compressed payloads that decompress into large JSON structures, causing excessive memory allocation and crashing the LAPI process.

Detection Guidance

Monitor CrowdSec LAPI logs for excessive memory usage or process termination events. Check for repeated requests to /v1/watchers or /v1/watchers/login endpoints with large gzip-compressed payloads. Use tools like netstat or ss to verify if LAPI is exposed to untrusted networks.

Impact Analysis

If exploited, this vulnerability can make LAPI unreachable by causing memory exhaustion. This prevents bouncers from fetching new security decisions and log processors from sending alerts, effectively halting decision-making. The impact is severe in multi-server setups where LAPI is exposed to untrusted networks.

Compliance Impact

This vulnerability could indirectly impact compliance with GDPR and HIPAA by disrupting the availability of CrowdSec's Local API (LAPI). If exploited, it may cause LAPI to become unreachable, preventing bouncers from fetching new decisions and log processors from sending alerts. This could lead to failures in real-time threat detection and response, potentially violating requirements for timely data processing and security monitoring under these regulations.

Mitigation Strategies

Upgrade CrowdSec to version 1.7.8 or later to apply the body size limit enforcement. If upgrading is not possible, restrict access to LAPI endpoints to trusted IPs only, especially for /v1/watchers and /v1/watchers/login.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart