CVE-2026-21876
Published: 08 January 2026
Summary
CVE-2026-21876 is a critical-severity Incomplete Filtering of Multiple Instances of Special Elements (CWE-794) vulnerability in Owasp Owasp Modsecurity Core Rule Set. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-7 (Boundary Protection).
Deeper analysis
The vulnerability is a logic bug in the OWASP Core Rule Set (CRS) affecting rule 922110 prior to versions 4.22.0 and 3.3.8. The rule processes multipart requests by iterating over collections such as MULTIPART_PART_HEADERS; because capture variables TX:0 and TX:1 are overwritten on each iteration, only the final captured value is passed to subsequent chained rules, allowing malicious charset values in earlier parts to be ignored when a later part contains a benign charset. The affected component is the generic attack-detection rule set used by compatible web application firewalls.
An unauthenticated remote attacker can craft a multipart request containing a malicious charset in one of the earlier parts followed by a legitimate charset in a subsequent part. Because the chained rule only evaluates the last captured value, the request evades detection and may result in high-impact consequences including confidentiality loss and limited integrity impact, as reflected in the CVSS 9.3 score.
The referenced GitHub advisory and release notes state that the issue is resolved in CRS 4.22.0 and 3.3.8; users should upgrade to one of these versions. The associated commits correct the capture-variable handling so that each multipart part is evaluated independently by the rule chain. The EPSS score remains low with only a modest peak of 0.0398 and no reported real-world exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1669
Vulnerability details
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple…
more
parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
WAF rule bypass in multipart charset detection directly enables remote exploitation of public-facing web applications without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the CRS 4.22.0/3.3.8 patches that correct the MULTIPART_PART_HEADERS capture-variable overwrite in rule 922110.
Boundary-protection devices (WAFs) using CRS must enforce the corrected multipart charset inspection to block the evasion technique.
Malicious-code-protection mechanisms rely on accurate CRS rule evaluation to detect and block the crafted multipart requests described in the CVE.