Categories: Cyber Security News

OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation

A critical vulnerability in the OWASP Core Rule Set (CRS) has been discovered that allows attackers to bypass important security protections designed to prevent charset-based attacks.

The vulnerability, tracked as CVE-2026-21876, affects rule 922110 and carries a severity score of 9.3 (CRITICAL).

Table of Contents

Toggle

OWASP CRS Vulnerability

Rule 922110 is designed to block dangerous character encodings, such as UTF-7 and UTF-16, in multipart form requests.

These encodings are commonly exploited to bypass filters and launch cross-site scripting (XSS) attacks.

Aspect	Details
CVE ID	CVE-2026-21876
Severity	CRITICAL (9.3)
CWE	CWE-794
CVSS Score	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

However, the rule contains a critical flaw: it only validates the last part of a multipart request, ignoring earlier parts.

Attackers can exploit this by placing malicious UTF-7 encoded JavaScript in the first part of a multipart request while placing legitimate UTF-8 content in the last part.

The rule checks only the last part, allowing the attack to slip through undetected. The vulnerability impacts all users running CRS versions 3.3. x (through 3.3.7) and 4.0.0 through 4.21.0.

These versions are used across Apache ModSecurity v2, ModSecurity v3, and Coraza installations worldwide. Without this protection, attackers can send charset-encoded payloads directly to backend applications.

UTF-7 XSS attacks are well-documented and challenging to defend against when they bypass the WAF layer. This removes a critical layer of defense from affected systems.

What Should Users Do?

The OWASP CRS team has released patches available immediately: CRS 4.x users: Upgrade to version 4.22.0, CRS 3.3.x users: Upgrade to version 3.3.8.

The fixes are backward compatible and require no configuration changes. Users should upgrade as soon as possible and verify that the fix is active in their systems.

Instead of checking only the last multipart part, the patched rules now store and validate all parts individually using a counter-based system.

Every part’s charset is now checked, ensuring malicious encodings cannot slip through regardless of position.

Patches were developed and released on January 6, 2026, with coordinated public disclosure. The CVE is tracked with internal ID 9AJ-260102.

The OWASP CRS team recommends that all users take immediate action to protect their applications from this critical bypass vulnerability.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation appeared first on Cyber Security News.

Critical Ruby SAML Flaw Allows Attackers to Bypass Authentication

A critical authentication-bypass vulnerability has been discovered in the Ruby SAML library, affecting versions before 1.18.0. The vulnerability enables attackers to execute sophisticated signature wrapping attacks and completely circumvent SAML authentication, posing severe security risks to organizations that rely on this widely used authentication protocol. Vulnerability Details The flaw, tracked…

December 9, 2025

In "Cyber Security News"

W3 Total Cache Command Injection Vulnerability Exposes 1 Million WordPress Sites to RCE Attacks

A critical command injection vulnerability has been discovered in the W3 Total Cache plugin, one of WordPress’s most popular caching solutions used by approximately 1 million websites. The vulnerability, tracked as CVE-2025-9501 with a CVSS severity score of 9.0 (Critical), allows unauthenticated attackers to execute arbitrary PHP commands directly on vulnerable servers. W3 Total Cache…

November 18, 2025

In "Cyber Security News"