CVE-2026-21876
📋 TL;DR
This vulnerability in OWASP Core Rule Set (CRS) allows attackers to bypass multipart request filtering in web application firewalls. When processing multipart requests with multiple parts, the rule incorrectly captures only the last part's charset, potentially missing malicious content in earlier parts. This affects any organization using vulnerable CRS versions with compatible WAFs.
💻 Affected Systems
- OWASP Core Rule Set (CRS)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could bypass WAF protections entirely, allowing injection attacks (SQLi, XSS, RCE) to reach backend applications undetected.
Likely Case
Selective bypass of specific WAF rules for multipart requests, enabling limited injection attacks or evasion of security controls.
If Mitigated
With proper defense-in-depth (application-layer validation, input sanitization), impact is reduced even if WAF bypass occurs.
🎯 Exploit Status
Exploitation requires crafting multipart requests with malicious content in early parts and legitimate content in later parts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.8 or 4.22.0
Vendor Advisory: https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5
Restart Required: Yes
Instructions:
1. Update CRS to version 3.3.8 (for v3 branch) or 4.22.0 (for v4 branch). 2. Restart WAF service. 3. Verify rule 922110 functions correctly.
🔧 Temporary Workarounds
Disable rule 922110
allTemporarily disable the affected rule until patching is possible.
# In CRS configuration: SecRuleRemoveById 922110
Block multipart requests
allConfigure WAF to block or strictly validate all multipart requests.
# Add custom rule to reject multipart content with suspicious patterns
🧯 If You Can't Patch
- Implement strict input validation at application layer for all multipart data
- Deploy additional WAF or IPS with different rule sets for defense-in-depth
🔍 How to Verify
Check if Vulnerable:
Check CRS version: if using v3 < 3.3.8 or v4 < 4.22.0, you are vulnerable.Check Version:
grep 'coreruleset' /path/to/crs/crs-setup.conf | grep 'version'Verify Fix Applied:
After update, test with crafted multipart request containing malicious charset in first part and legitimate in second - should be blocked.📡 Detection & Monitoring
Log Indicators:
- WAF logs showing rule 922110 not triggering on multipart requests with suspicious charsets
- Increased successful attacks after multipart requests
Network Indicators:
- Multipart requests with mixed charsets in different parts
- Unusual Content-Type headers in multipart requests
SIEM Query:
source="waf_logs" AND rule_id="922110" AND request_content_type="multipart" AND action="passed"🔗 References
- https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83
- https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6
- https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8
- https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0
- https://github.com/coreruleset/coreruleset/security/advisories/GHSA-36fv-25j3-r2c5
