CrowdSec 1.7.8 Security Release: Fixes High-Severity WAF Bypass and LAPI DoS Vulnerabilities

The 1.7.8 release of CrowdSec fixes two vulnerabilities: one of medium impact and one of high impact. We recommend that all users upgrade to the patched version as soon as possible.

If you are using the nginx (or OpenResty) remediation component, you will also need to upgrade it to its latest version to fully address CVE-2026-44982.

CVE-2026-44982: Partial CrowdSec WAF Bypass (high severity)

The AppSec datasource failed to read the request body for any request whose Content-Length was not positive.

In practice, this means HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests sent without a content-length header were evaluated against an empty body, silently bypassing any WAF rule targeting body content.

Headers-only and URI-only rules are not affected.

CVE-2026-44981: Local API Denial of Service

LAPI did not enforce a maximum decompressed body size on incoming gzip-compressed requests.

A small compressed payload could decompress into hundreds of megabytes of valid JSON, and the unauthenticated /v1/watchers and /v1/watchers/login endpoints made this reachable without credentials.

Sending enough concurrent requests causes LAPI to exhaust memory and be killed by the OS.

By default, LAPI only listens on localhost, so this is not remotely exploitable.

In a distributed setup, any attacker who can reach LAPI can exploit it. Until you upgrade, restrict LAPI access to trusted IPs at the network or reverse proxy layer.

The impact is limited to the availability of new decisions: bouncers continue to enforce existing decisions, but new alerts cannot be processed, and new decisions cannot be distributed while LAPI is down.