CVE-2026-33691
Whitespace Bypass in OWASP CRS Allows Dangerous File Uploads
Publication date: 2026-04-02
Last updated on: 2026-04-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| owasp | owasp_modsecurity_core_rule_set | to 3.3.9 (exc) |
| owasp | owasp_modsecurity_core_rule_set | From 4.0.0 (inc) to 4.25.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-178 | The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-33691 allows attackers to bypass file upload extension checks by inserting whitespace padding in filenames, enabling the upload of dangerous files such as .php, .phar, .jsp, and .jspx. This can lead to the deployment of malicious web shells and remote code execution on affected systems.
Such unauthorized file uploads and potential remote code execution can compromise the confidentiality and integrity of data processed or stored by the affected web applications. This poses a risk to compliance with common security standards and regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive data against unauthorized access and breaches.
If exploited, this vulnerability could lead to data breaches or unauthorized system control, which may result in violations of regulatory requirements for data protection, incident response, and breach notification.
Therefore, failure to patch this vulnerability could negatively impact an organization's compliance posture by exposing it to risks of data compromise and regulatory penalties.
Can you explain this vulnerability to me?
CVE-2026-33691 is a vulnerability in the OWASP Core Rule Set (CRS) that allows attackers to bypass file upload extension checks by inserting whitespace characters in filenames. Specifically, before versions 3.3.9 and 4.25.0, certain CRS rules designed to detect and block dangerous file uploads (such as files with extensions .php, .phar, .jsp, .jspx) did not remove or normalize whitespace before evaluating the file extension using regular expressions.
Because the rules only applied transformations like lowercase conversion but did not remove whitespace, attackers could upload files with whitespace padding around or within the extension (e.g., "photo. php" or "shell.jsp ") to evade detection. This allowed malicious files, including web shells or PHP injection payloads, to bypass the CRS protections.
The vulnerability was fixed by adding a transformation called `t:removeWhitespace` to the affected rules, which strips whitespace from filenames before applying regex checks, thus preventing this bypass technique.
How can this vulnerability impact me? :
This vulnerability can allow attackers to upload malicious files with dangerous extensions such as .php, .phar, .jsp, and .jspx by bypassing the file extension checks in the OWASP Core Rule Set.
If the backend system processes filenames by trimming or normalizing whitespace (common in Windows environments), these malicious files can be executed, potentially leading to remote code execution or deployment of web shells.
On Linux systems, exploitation depends on whether the backend or webserver applies whitespace trimming functions; if not, the system may not be vulnerable.
Overall, this vulnerability increases the risk of unauthorized code execution and compromise of the web application or server by allowing attackers to upload and execute malicious scripts that should have been blocked.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring file upload attempts that include filenames with whitespace padding around or within dangerous file extensions such as .php, .phar, .jsp, and .jspx. Since the vulnerability involves bypassing detection rules by inserting whitespace in filenames, detection involves inspecting HTTP requests, especially multipart form-data uploads and HTTP headers like X-Filename, for suspicious filenames containing whitespace around extensions.
Specifically, detection rules in the OWASP Core Rule Set (CRS) that were vulnerable include rules 932180, 933110, 933111, and 944140. These rules check for malicious file uploads but prior to the fix did not normalize whitespace. To detect exploitation attempts, you can analyze web server logs or use ModSecurity with updated CRS rules that include the `t:removeWhitespace` transformation to catch filenames with whitespace padding.
Suggested commands to detect this vulnerability on your system include using tools like `grep` or `awk` to search web server logs for suspicious filenames with whitespace around extensions. For example:
- grep -iE 'filename=.*\.(php|phar|jsp|jspx)\s' /var/log/apache2/access.log
- grep -iE 'filename=.*\s+\.(php|phar|jsp|jspx)' /var/log/nginx/access.log
- Use ModSecurity audit logs to identify requests triggering rules 932180, 933110, 933111, or 944140 with filenames containing whitespace.
Additionally, enabling and reviewing ModSecurity logs with the updated CRS rules (version 3.3.9 or later, or 4.25.0 or later) will help detect and block such attempts automatically.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade the OWASP Core Rule Set (CRS) to version 3.3.9 or later, or 4.25.0 or later, where this vulnerability has been patched. These versions include fixes that add the `t:removeWhitespace` transformation to relevant detection rules, preventing attackers from bypassing file upload restrictions by inserting whitespace in filenames.
If upgrading immediately is not possible, consider applying the patch that adds the `t:removeWhitespace` transformation to the affected rules (932180, 933110, 933111, and 944140) manually to your current CRS installation.
Additional mitigation steps include:
- Configure your web application firewall (WAF) or ModSecurity to normalize filenames by removing whitespace before evaluating file extensions.
- Implement strict backend validation to reject files with suspicious extensions, especially those with whitespace padding.
- Monitor and block HTTP requests attempting to upload files with whitespace-padded dangerous extensions.
- If possible, harden backend systems to avoid automatic trimming or normalization of filenames that could allow execution of malicious files.