What is CVE-2026-21876?

It is a critical charset validation bypass vulnerability in the OWASP Core Rule Set (CRS) with a CVSS score of 9.3.

How do attackers exploit this CRS vulnerability?

Attackers send a multipart request where the first part contains a malicious UTF-7 payload and the last part contains a legitimate UTF-8 charset to trick the WAF into ignoring the attack.

Which versions of OWASP CRS are affected?

All versions from 3.0.0 through 4.21.0 are affected by this flaw.

What are the patched versions for CVE-2026-21876?

Users should upgrade to CRS 4.22.0 or CRS 3.3.8 to resolve the issue.

Is there a workaround if I cannot patch?

The only workaround is to disable rule 922110, but this is not recommended as it leaves the application exposed to other charset-based attacks.

Advisory

OWASP CRS Patches Critical Multipart Charset Validation Bypass

published: Jan. 10, 2026

Take action: If you are using WAF OWASP Core Rule Set to version 4.22.0 or 3.3.8 this is important. Update the Core rule 922110 ASAP. Don't not rely on default settings for rule 922110 until you have applied these patches. Attackers can easily hide malicious scripts in multi-part uploads.

Learn More

The OWASP Core Rule Set (CRS) team fixed a flaw that lets attackers bypass security checks in multipart form data that allows attackers to deliver encoded payloads to backend applications.

The flaw is tracked as CVE-2026-21876 (CVSS score 9.3) - A charset validation bypass in rule 922110, which is active by default. This rule usually stops dangerous text encodings like UTF-7, UTF-16, and UTF-32. Attackers use these encodings to hide malicious scripts from Web Application Firewalls (WAF) that protect backend servers.

The problem comes from how ModSecurity handles chained rules when processing many request parts. When a request has multiple sections, the system saves the character set (charset) of each section into a temporary variable. However, each new section overwrites the previous one. The security check only looks at the very last section. If the last part looks safe, the WAF lets the whole request through, even if earlier parts contain attacks.

An attacker can build a request with two or more parts to exploit this. The first part might hold a UTF-7 encoded script designed to steal cookies or take over sessions. The second part uses a standard UTF-8 encoding. Because the WAF only checks the second part, it misses the attack in the first part. This allows cross-site scripting (XSS) to reach the backend server without any user help or login.

Example attack payload:

Content-Type: multipart/form-data; boundary=----Boundary

Part 1: Content-Type: text/plain; charset=UTF-7 containing +ADw-script+AD4-alert(document.cookie)+ADw-/script+AD4- (UTF-7 encoded <script>alert(document.cookie)</script>)
Part 2: Content-Type: text/plain; charset=UTF-8 containing legitimate text like username=test.

The WAF's rule 922110 only examines the charset of the final UTF-8 part, incorrectly validates the entire request as safe, and forwards the malicious UTF-7 encoded XSS to the backend application where it executes without sanitization.

This flaw affects almost all CRS users running versions 3.0.0 through 4.21.0. It works on ModSecurity v2, v3, and Coraza WAF engines.

Users should update their rule sets as soon as possible to

CRS 4.x users: Upgrade to CRS 4.22.0
CRS 3.3.x users: Upgrade to CRS 3.3.8

If you cannot update, the only option is to turn off rule 922110, but this leaves applications open to other encoding attacks.

OWASP CRS Patches Critical Multipart Charset Validation Bypass

Read More
GitLab releases critical security updates, urges patching
CISA warns of actively exploited Zimbra Collaboration Suite …
Malicious code injection vulnerability reported in Apache Parquet …
Critical well known default password flaw reported in …
Flowise AI Platform Targeted by Active Exploitation of …