CVE-2026-44981

Name of the Vulnerable Software and Affected Versions CrowdSec LAPI (affected versions not specified)

Description The LAPI router utilizes the gin-contrib/gzip middleware with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go. This middleware decompresses incoming request bodies without enforcing a maximum size limit. An attacker can send small gzip-compressed JSON payloads to the unauthenticated endpoints '/v1/watchers' or '/v1/watchers/login' that expand into hundreds of megabytes of JSON in server memory. Concurrent requests of this nature can lead to excessive heap memory allocation, causing the operating system to terminate the process. This results in a denial of service where bouncers cannot fetch new decisions and log processors cannot send alerts. In default configurations, this is not exploitable over the network as LAPI listens only on the loopback interface, but it poses a risk in multi-server setups where LAPI is exposed to untrusted IP addresses.

Recommendations Restrict access to trusted IP addresses if LAPI is exposed on the network, such as in multi-server deployments or through a reverse proxy. At the moment, there is no information about a newer version that contains a fix for this vulnerability.