CVE-2026-33691
Published: 02 April 2026
Summary
CVE-2026-33691 is a medium-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Owasp Owasp Modsecurity Core Rule Set. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely identification, reporting, and correction of the flaw in OWASP CRS by upgrading to patched versions 3.3.9 or 4.25.0, eliminating the whitespace padding bypass in file extension checks.
Provides defense-in-depth by mandating validation and normalization of file upload inputs, such as filenames, to detect dangerous extensions like .php even if bypassed by vulnerable CRS rules.
Ensures web application firewalls are configured with secure, up-to-date settings including patched OWASP CRS rulesets to mitigate filename extension bypass vulnerabilities.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in OWASP CRS WAF rules enables bypass of file extension checks for uploads of malicious files (e.g. .php web shells), directly facilitating T1100 Web Shell and T1190 Exploit Public-Facing Application against the WAF-protected server.
NVD Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, a bypass was identified in OWASP CRS that allows uploading files with dangerous…
more
extensions (.php, .phar, .jsp, .jspx) by inserting whitespace padding in the filename (e.g. photo. php or shell.jsp ). The affected rules do not normalize whitespace before evaluating the file extension regex, so the dot-extension check fails to match. This issue has been patched in versions 3.3.9 and 4.25.0.
Deeper analysisAI
CVE-2026-33691 is a vulnerability in the OWASP Core Rule Set (CRS), a collection of generic attack detection rules designed for use with compatible web application firewalls. Prior to versions 3.3.9 and 4.25.0, the affected rules fail to normalize whitespace in filenames before evaluating file extension regular expressions, enabling a bypass that allows uploading files with dangerous extensions such as .php, .phar, .jsp, and .jspx. Attackers can exploit this by inserting whitespace padding around the dot in the extension, for example "photo. php" or "shell.jsp", causing the dot-extension check to fail matching.
Remote attackers with network access can exploit this vulnerability without privileges or user interaction, though it requires high attack complexity. Successful exploitation changes the scope and results in high integrity impact by bypassing file upload restrictions in web application firewalls using the vulnerable CRS, potentially allowing attackers to upload malicious files that could lead to server-side code execution if processed by the underlying web application.
Mitigation is available through upgrading to OWASP CRS versions 3.3.9 or 4.25.0, where the issue has been patched. Relevant GitHub references include the fixing commit at https://github.com/coreruleset/coreruleset/commit/2a8c63512811c5dd74472becebb79a783e68ff02 and pull requests #4546, #4547, and #4548, along with the v3.3.9 release at https://github.com/coreruleset/coreruleset/releases/tag/v3.3.9. The vulnerability is rated 6.8 on the CVSS 3.1 scale (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N) and maps to CWE-178 (Improper Handling of Case Sensitivity).
Details
- CWE(s)