CVE-2026-21876
Unknown Unknown - Not Provided
Capture Variable Overwrite in OWASP CRS Multipart Request Processing

Publication date: 2026-01-08

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-04-09
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21876
EUVD
EUVD-2026-1669
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
owasp owasp_modsecurity_core_rule_set to 3.3.8 (exc)
owasp owasp_modsecurity_core_rule_set From 4.0.0 (inc) to 4.22.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-794 The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-21876 is a vulnerability in the OWASP Core Rule Set (CRS) affecting rule 922110 when processing multipart HTTP requests with multiple parts. The rule iterates over multipart headers but overwrites capture variables on each iteration, so only the last part's charset is checked. This means malicious charsets in earlier parts can be missed if a later part has a legitimate charset, allowing attackers to bypass security checks by hiding malicious content in earlier multipart sections. [5, 3, 4]

Impact Analysis

This vulnerability can severely impact confidentiality by allowing malicious payloads with harmful charsets to bypass detection in multipart HTTP requests. Attackers can exploit this remotely without privileges or user interaction, potentially exposing sensitive data. It also has a moderate impact on data integrity but does not affect availability. Essentially, it allows attackers to evade web application firewall protections, increasing the risk of data breaches or unauthorized data manipulation. [5]

Detection Guidance

Detection involves inspecting HTTP multipart requests for multiple Content-Type headers with potentially malicious charset parameters. The patched OWASP Core Rule Set (CRS) rules (922140, 922150, 922110) track and validate all multipart Content-Type headers and their charset parameters. To detect exploitation attempts, monitor your web application firewall (WAF) logs for alerts triggered by rule 922110 indicating invalid or malicious charset values in multipart requests. Specific commands depend on your WAF setup, but generally, you can use tools like tcpdump or Wireshark to capture HTTP traffic and grep or jq to filter logs for rule 922110 triggers. For example, on a system with ModSecurity and CRS enabled, you can search the audit logs for rule 922110 alerts: `grep 'id "922110"' /var/log/modsec_audit.log` or use your WAF's query interface to find blocked requests matching this rule. [3, 4, 5]

Mitigation Strategies

The immediate mitigation step is to upgrade the OWASP Core Rule Set (CRS) to version 4.22.0 or 3.3.8 or later, where the vulnerability in rule 922110 processing multipart requests is fixed. These versions include enhanced rules (922140, 922150, 922110) that correctly track and validate multiple Content-Type headers and their charset parameters to prevent bypass. Until you can upgrade, consider applying temporary custom rules to detect multiple Content-Type headers with suspicious charset values or disable processing of multipart requests if feasible. Also, monitor your WAF logs for suspicious multipart requests and block or alert on those matching the vulnerable pattern. [2, 3, 4, 5]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart