PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-44982 crowdsecurity CVE debrief

A vulnerability was found in CrowdSec's HTTP request handling. From version 1.5.0 to 1.7.7, the NewParsedRequestFromRequest function in pkg/appsec/request.go allocated a request body buffer based on max(r.ContentLength, 0). This caused HTTP/1.1 requests with Transfer-Encoding: chunked and HTTP/2 requests without a content-length header to have an empty body. As a result, WAF rules targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML were skipped. The issue was fixed in version 1.7.8.

Vendor
crowdsecurity
Product
crowdsec
CVSS
HIGH 7.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-16
Advisory published
2026-07-16
Advisory updated
2026-07-16

Who should care

Users of CrowdSec version 1.5.0 through 1.7.7 should update to version 1.7.8 to address this vulnerability. Security teams monitoring WAF rules and HTTP traffic may need to review their configurations to ensure they are not impacted by this issue.

Technical summary

The NewParsedRequestFromRequest function in CrowdSec's pkg/appsec/request.go file allocated a request body buffer based on the maximum of the ContentLength and 0. This logic caused issues with HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests without a content-length header, resulting in an empty request body. Consequently, WAF rules designed to inspect the request body (e.g., REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML) were bypassed. The fix in version 1.7.8 properly handles these scenarios to prevent WAF rule evasion.

Defensive priority

High

Recommended defensive actions

  • Update CrowdSec to version 1.7.8 or later
  • Review WAF configurations for potential bypasses
  • Monitor HTTP traffic for unusual patterns
  • Verify request body inspection rules are functioning correctly
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.

Evidence notes

The CVE record was published on 2026-07-16T20:16:45.033Z and has not been modified since then. The NVD entry is currently 7.2 HIGH. Multiple source references are provided, including commits and a security advisory.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T20:16:45.033Z and has not been modified since then.