The vulnerability, tracked as CVE-2026-21876, affects rule 922110 and carries a severity score of 9.3 (CRITICAL).
Rule 922110 is designed to block dangerous character encodings, such as UTF-7 and UTF-16, in multipart form requests.
These encodings are commonly exploited to bypass filters and launch cross-site scripting (XSS) attacks.
| Aspect | Details |
|---|---|
| CVE ID | CVE-2026-21876 |
| Severity | CRITICAL (9.3) |
| CWE | CWE-794 |
| CVSS Score | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N |
However, the rule contains a critical flaw: it only validates the last part of a multipart request, ignoring earlier parts.
Attackers can exploit this by placing malicious UTF-7 encoded JavaScript in the first part of a multipart request while placing legitimate UTF-8 content in the last part.
The rule checks only the last part, allowing the attack to slip through undetected. The vulnerability impacts all users running CRS versions 3.3. x (through 3.3.7) and 4.0.0 through 4.21.0.
These versions are used across Apache ModSecurity v2, ModSecurity v3, and Coraza installations worldwide. Without this protection, attackers can send charset-encoded payloads directly to backend applications.
UTF-7 XSS attacks are well-documented and challenging to defend against when they bypass the WAF layer. This removes a critical layer of defense from affected systems.
The OWASP CRS team has released patches available immediately: CRS 4.x users: Upgrade to version 4.22.0, CRS 3.3.x users: Upgrade to version 3.3.8.
The fixes are backward compatible and require no configuration changes. Users should upgrade as soon as possible and verify that the fix is active in their systems.
Instead of checking only the last multipart part, the patched rules now store and validate all parts individually using a counter-based system.
Every part’s charset is now checked, ensuring malicious encodings cannot slip through regardless of position.
Patches were developed and released on January 6, 2026, with coordinated public disclosure. The CVE is tracked with internal ID 9AJ-260102.
The OWASP CRS team recommends that all users take immediate action to protect their applications from this critical bypass vulnerability.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation appeared first on Cyber Security News.
Looking for a powerful ebike with the speed and range to meet your ambitious needs?…
Don't miss this great opportunity to add to your 4K movie collection. Gruv, one of…
Federal Reserve Chair Jerome Powell speaks during a press conference on Dec. 10, 2025 in…
Federal Reserve Chair Jerome Powell speaks during a press conference on Dec. 10, 2025 in…
Estefany Maria Rodríguez Florez pictured with her husband. Her arrest by ICE agents has sparked…
Nvidia announced DLSS 5 on Monday during its GTC conference, and based on early reactions,…
This website uses cookies.