CVE-2026-21876
Capture Variable Overwrite in OWASP CRS Multipart Request Processing
Publication date: 2026-01-08
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owasp | owasp_modsecurity_core_rule_set | to 3.3.8 (exc) |
| owasp | owasp_modsecurity_core_rule_set | From 4.0.0 (inc) to 4.22.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-794 | The product receives data from an upstream component, but does not filter all instances of a special element before sending it to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21876 is a vulnerability in the OWASP Core Rule Set (CRS) affecting rule 922110 when processing multipart HTTP requests with multiple parts. The rule iterates over multipart headers but overwrites capture variables on each iteration, so only the last part's charset is checked. This means malicious charsets in earlier parts can be missed if a later part has a legitimate charset, allowing attackers to bypass security checks by hiding malicious content in earlier multipart sections. [5, 3, 4]
How can this vulnerability impact me? :
This vulnerability can severely impact confidentiality by allowing malicious payloads with harmful charsets to bypass detection in multipart HTTP requests. Attackers can exploit this remotely without privileges or user interaction, potentially exposing sensitive data. It also has a moderate impact on data integrity but does not affect availability. Essentially, it allows attackers to evade web application firewall protections, increasing the risk of data breaches or unauthorized data manipulation. [5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves inspecting HTTP multipart requests for multiple Content-Type headers with potentially malicious charset parameters. The patched OWASP Core Rule Set (CRS) rules (922140, 922150, 922110) track and validate all multipart Content-Type headers and their charset parameters. To detect exploitation attempts, monitor your web application firewall (WAF) logs for alerts triggered by rule 922110 indicating invalid or malicious charset values in multipart requests. Specific commands depend on your WAF setup, but generally, you can use tools like tcpdump or Wireshark to capture HTTP traffic and grep or jq to filter logs for rule 922110 triggers. For example, on a system with ModSecurity and CRS enabled, you can search the audit logs for rule 922110 alerts: `grep 'id "922110"' /var/log/modsec_audit.log` or use your WAF's query interface to find blocked requests matching this rule. [3, 4, 5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the OWASP Core Rule Set (CRS) to version 4.22.0 or 3.3.8 or later, where the vulnerability in rule 922110 processing multipart requests is fixed. These versions include enhanced rules (922140, 922150, 922110) that correctly track and validate multiple Content-Type headers and their charset parameters to prevent bypass. Until you can upgrade, consider applying temporary custom rules to detect multiple Content-Type headers with suspicious charset values or disable processing of multipart requests if feasible. Also, monitor your WAF logs for suspicious multipart requests and block or alert on those matching the vulnerable pattern. [2, 3, 4, 5]