๐Ÿ” CVE Alert

CVE-2026-44981

UNKNOWN 0.0

CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

CrowdSec offers crowdsourced protection against malicious IPs. From 1.7.0 until 1.7.8, the LAPI router used gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, causing /v1/watchers and /v1/watchers/login to decompress unauthenticated gzip-compressed JSON request bodies without enforcing a maximum decompressed size and allowing excessive heap allocation that can make LAPI unreachable. This issue is fixed in version 1.7.8.

CWE CWE-409
Vendor crowdsecurity
Product crowdsec
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for crowdsecurity crowdsec

Be the first to know when new unknown vulnerabilities affecting crowdsecurity crowdsec are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

crowdsecurity / crowdsec
>= 1.7.0, < 1.7.8

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/crowdsecurity/crowdsec/security/advisories/GHSA-273h-gvwr-c3qj github.com: https://github.com/crowdsecurity/crowdsec/commit/54a0dfe6c16b7687b0da6634e0b19ef0f5d9bb30 github.com: https://github.com/crowdsecurity/crowdsec/commit/56d0d6915f7f25941dc5b4f484028646f6601a37