CVE-2026-44981
CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
CrowdSec offers crowdsourced protection against malicious IPs. From 1.7.0 until 1.7.8, the LAPI router used gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, causing /v1/watchers and /v1/watchers/login to decompress unauthenticated gzip-compressed JSON request bodies without enforcing a maximum decompressed size and allowing excessive heap allocation that can make LAPI unreachable. This issue is fixed in version 1.7.8.
| CWE | CWE-409 |
| Vendor | crowdsecurity |
| Product | crowdsec |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for crowdsecurity crowdsec
Be the first to know when new unknown vulnerabilities affecting crowdsecurity crowdsec are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
crowdsecurity / crowdsec
>= 1.7.0, < 1.7.8