A critical vulnerability in the OWASP Core Rule Set (CRS) has been discovered that allows attackers to bypass important security protections designed to prevent charset-based attacks.
The vulnerability, tracked as CVE-2026-21876, affects rule 922110 and carries a severity score of 9.3 (CRITICAL).
OWASP CRS Vulnerability
Rule 922110 is designed to block dangerous character encodings, such as UTF-7 and UTF-16, in multipart form requests.
These encodings are commonly exploited to bypass filters and launch cross-site scripting (XSS) attacks.
| Aspect | Details |
|---|---|
| CVE ID | CVE-2026-21876 |
| Severity | CRITICAL (9.3) |
| CWE | CWE-794 |
| CVSS Score | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N |
However, the rule contains a critical flaw: it only validates the last part of a multipart request, ignoring earlier parts.
Attackers can exploit this by placing malicious UTF-7 encoded JavaScript in the first part of a multipart request while placing legitimate UTF-8 content in the last part.
The rule checks only the last part, allowing the attack to slip through undetected. The vulnerability impacts all users running CRS versions 3.3. x (through 3.3.7) and 4.0.0 through 4.21.0.
These versions are used across Apache ModSecurity v2, ModSecurity v3, and Coraza installations worldwide. Without this protection, attackers can send charset-encoded payloads directly to backend applications.
UTF-7 XSS attacks are well-documented and challenging to defend against when they bypass the WAF layer. This removes a critical layer of defense from affected systems.
What Should Users Do?
The OWASP CRS team has released patches available immediately: CRS 4.x users: Upgrade to version 4.22.0, CRS 3.3.x users: Upgrade to version 3.3.8.
The fixes are backward compatible and require no configuration changes. Users should upgrade as soon as possible and verify that the fix is active in their systems.
Instead of checking only the last multipart part, the patched rules now store and validate all parts individually using a counter-based system.
Every part’s charset is now checked, ensuring malicious encodings cannot slip through regardless of position.
Patches were developed and released on January 6, 2026, with coordinated public disclosure. The CVE is tracked with internal ID 9AJ-260102.
The OWASP CRS team recommends that all users take immediate action to protect their applications from this critical bypass vulnerability.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
