Download the latest Vulnerability & Exploitation Report

Download now

CrowdSec 1.7.8 Security Release: Fixes High-Severity WAF Bypass and LAPI DoS Vulnerabilities

The 1.7.8 release of CrowdSec fixes two vulnerabilities: one of medium impact and one of high impact. We recommend that all users upgrade to the patched version as soon as possible.

If you are using the nginx (or OpenResty) remediation component, you will also need to upgrade it to its latest version to fully address CVE-2026-44982.

CVE-2026-44982: Partial CrowdSec WAF Bypass (high severity)

The AppSec datasource failed to read the request body for any request whose Content-Length was not positive.

In practice, this means HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests sent without a content-length header were evaluated against an empty body, silently bypassing any WAF rule targeting body content.

Headers-only and URI-only rules are not affected.

CVE-2026-44981: Local API Denial of Service

LAPI did not enforce a maximum decompressed body size on incoming gzip-compressed requests.

A small compressed payload could decompress into hundreds of megabytes of valid JSON, and the unauthenticated /v1/watchers and /v1/watchers/login endpoints made this reachable without credentials.

Sending enough concurrent requests causes LAPI to exhaust memory and be killed by the OS.

By default, LAPI only listens on localhost, so this is not remotely exploitable.

In a distributed setup, any attacker who can reach LAPI can exploit it. Until you upgrade, restrict LAPI access to trusted IPs at the network or reverse proxy layer.

The impact is limited to the availability of new decisions: bouncers continue to enforce existing decisions, but new alerts cannot be processed, and new decisions cannot be distributed while LAPI is down.

WRITTEN BY

You may also like

crowdsec threat forecast blocklist release announcement
Announcement

Block 50% More Attackers with the CrowdSec Threat Forecast Blocklist

Introducing our new Threat Forecast Blocklist. Learn how it works and how it can help you block around 50% more attackers before they even reach your servers.

am i under attack
Product Updates

Am I Under Attack: Cut Through the Noise to Detect Sophisticated and Targeted Attacks with CrowdSec’s New feature

Am I Under Attack leverages advanced AI algorithms to detect anomalies in your logs indicating more sophisticated or targeted attacks.

new and advanced ip lookup search
Product Updates

Introducing the New and Advanced IP Lookup Search

In a previous article, we introduced the CTI Report, this time, we are taking it a step further and introducing new and advanced search options for our IP lookup.  You now have access to multiple search options to accurately and effectively explore the CrowdSec CTI.   Let’s take a look. IP lookup search These new search […]