Summary
The CrowdSec AppSec component fails to read the HTTP request body for any request whose Content-Length is not positive, most notably HTTP/1.1 requests using Transfer-Encoding: chunked and HTTP/2 requests sent without a content-length header. Coraza is then evaluated against an empty body, so every WAF rule targeting REQUEST_BODY, BODY_ARGS, ARGS_POST, JSON, or XML silently fails to match.
An unauthenticated remote attacker can bypass the entire AppSec body-inspection pipeline by changing a single framing header on an otherwise-malicious request. The bypassed request is forwarded as allow and produces no WAF log entry.
Affected versions
github.com/crowdsecurity/crowdsec, all releases up to and including v1.7.7.
Affected component
pkg/appsec/request.go, function NewParsedRequestFromRequest.
Root cause
func NewParsedRequestFromRequest(r *http.Request, logger *log.Entry) (ParsedRequest, error) {
var err error
contentLength := max(r.ContentLength, 0)
body := make([]byte, contentLength)
if r.Body != nil {
_, err = io.ReadFull(r.Body, body)
if err != nil {
return ParsedRequest{}, fmt.Errorf("unable to read body: %s", err)
}
r.Body = io.NopCloser(bytes.NewBuffer(body))
}
...
}
Go's net/http server sets r.ContentLength = -1 when the request uses Transfer-Encoding: chunked with no Content-Length header, or when an HTTP/2 request omits the content-length pseudo-header (DATA-frame-only body). With ContentLength == -1:
max(-1, 0)evaluates to0.make([]byte, 0)allocates a zero-length slice.io.ReadFullon a zero-length buffer needs zero bytes and returns immediately without touchingr.Body.- The empty buffer is written back onto the request and onto the cloned request constructed later in the same function.
Every downstream consumer then sees an empty body. In the AppSec runner, WriteRequestBody is skipped because the parsed body has zero length, and ProcessRequestBody runs against nothing.
Workarounds
No complete workaround is available.
Impact
Every body-scanning rule is bypassed for any request whose framing makes Content-Length non-positive. In default CrowdSec deployments using the standard AppSec collections, the bypass affects any rule with zones containing BODY_ARGS, JSON, XML, REQUEST_BODY, or ARGS_POST.
No configuration option mitigates the issue, the defect is in the request parser, not in any ruleset. Bypassed requests do not produce a WAF log entry, so operators have no signal that rules are being skipped.
Header-only and URI-only rules are unaffected.
CVE-2026-44982 has a CVSS score of 7.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.7.8); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-44982? CVE-2026-44982 is a high-severity security vulnerability in github.com/crowdsecurity/crowdsec (go), affecting versions >= 1.5.0, <= 1.7.7. It is fixed in 1.7.8.
- How severe is CVE-2026-44982? CVE-2026-44982 has a CVSS score of 7.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/crowdsecurity/crowdsec are affected by CVE-2026-44982? github.com/crowdsecurity/crowdsec (go) versions >= 1.5.0, <= 1.7.7 is affected.
- Is there a fix for CVE-2026-44982? Yes. CVE-2026-44982 is fixed in 1.7.8. Upgrade to this version or later.
- Is CVE-2026-44982 exploitable, and should I be worried? Whether CVE-2026-44982 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-44982 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-44982? Upgrade
github.com/crowdsecurity/crowdsecto 1.7.8 or later.