CVE-2026-21876
Published: 08 January 2026
Summary
CVE-2026-21876 is a critical-severity Incomplete Filtering of Multiple Instances of Special Elements (CWE-794) vulnerability in Owasp Owasp Modsecurity Core Rule Set. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and patching of flaws like the OWASP CRS rule 922110 bug via upgrades to versions 4.22.0 or 3.3.8.
Enables vulnerability scanning to identify CVE-2026-21876 in deployed WAF rulesets, prompting remediation.
Ensures receipt and dissemination of security advisories like GHSA-36fv-25j3-r2c5 for the CRS multipart processing flaw.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
WAF rule bypass in multipart charset detection directly enables remote exploitation of public-facing web applications without authentication.
NVD Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple…
more
parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Deeper analysisAI
CVE-2026-21876 affects the OWASP Core Rule Set (CRS), a collection of generic attack detection rules used with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, rule 922110 contains a bug when processing multipart requests with multiple parts. During iteration over collections like MULTIPART_PART_HEADERS, capture variables such as TX:0 and TX:1 are overwritten with each iteration, leaving only the last captured value available to chained rules. This can cause malicious charsets in earlier parts to be missed if a subsequent part contains a legitimate charset.
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. By crafting a multipart request with a malicious charset in an early part followed by a legitimate charset in a later part, attackers can bypass detection by rule 922110. The vulnerability has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N), enabling high confidentiality impact through scope change, such as evading WAF protections for underlying web application attacks, with low integrity impact and no availability impact. It is associated with CWE-794.
Mitigation requires upgrading to OWASP CRS version 4.22.0 or 3.3.8, where the issue is patched via specific commits. The GitHub security advisory GHSA-36fv-25j3-r2c5 and release notes detail the fixes, including commit 80d80473abf71bd49bf6d3c1ab221e3c74e4eb83 for the v4 branch and 9917985de09a6cf38b3261faf9105e909d67a7d6 for v3.
Details
- CWE(s)