CyberSecurityNewsArchived Jun 24, 2026✓ Full text saved
OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation CyberSecurityNews
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation
By Abinaya
January 9, 2026
A critical vulnerability in the OWASP Core Rule Set (CRS) has been discovered that allows attackers to bypass important security protections designed to prevent charset-based attacks.
The vulnerability, tracked as CVE-2026-21876, affects rule 922110 and carries a severity score of 9.3 (CRITICAL).
OWASP CRS Vulnerability
Rule 922110 is designed to block dangerous character encodings, such as UTF-7 and UTF-16, in multipart form requests.
These encodings are commonly exploited to bypass filters and launch cross-site scripting (XSS) attacks.
Aspect Details
CVE ID CVE-2026-21876
Severity CRITICAL (9.3)
CWE CWE-794
CVSS Score CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
However, the rule contains a critical flaw: it only validates the last part of a multipart request, ignoring earlier parts.
Attackers can exploit this by placing malicious UTF-7 encoded JavaScript in the first part of a multipart request while placing legitimate UTF-8 content in the last part.
The rule checks only the last part, allowing the attack to slip through undetected. The vulnerability impacts all users running CRS versions 3.3. x (through 3.3.7) and 4.0.0 through 4.21.0.
These versions are used across Apache ModSecurity v2, ModSecurity v3, and Coraza installations worldwide. Without this protection, attackers can send charset-encoded payloads directly to backend applications.
UTF-7 XSS attacks are well-documented and challenging to defend against when they bypass the WAF layer. This removes a critical layer of defense from affected systems.
What Should Users Do?
The OWASP CRS team has released patches available immediately: CRS 4.x users: Upgrade to version 4.22.0, CRS 3.3.x users: Upgrade to version 3.3.8.
The fixes are backward compatible and require no configuration changes. Users should upgrade as soon as possible and verify that the fix is active in their systems.
Instead of checking only the last multipart part, the patched rules now store and validate all parts individually using a counter-based system.
Every part’s charset is now checked, ensuring malicious encodings cannot slip through regardless of position.
Patches were developed and released on January 6, 2026, with coordinated public disclosure. The CVE is tracked with internal ID 9AJ-260102.
The OWASP CRS team recommends that all users take immediate action to protect their applications from this critical bypass vulnerability.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
Tags
cyber security
cyber security news
vulnerability
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Browser-in-the-Browser Kit Uses Fake Software Errors to Deliver Malware Installers
15 Best Linux Network Monitoring Tools in 2026
Hackers Abuse PowerShell Commands to Deliver SmartRAT Through Brazilian Bank Phishing Page
Hackers Exploit Unpatched SharePoint Servers to Deploy Ransomware and Custom Backdoors
New iPhone BootROM Vulnerability Exposes Apple SoCs to Full Chain-of-Trust Compromise
Latest News
ANY.RUN
EvilTokens Hides Its Attack Flow in the Browser, Exposing Static Analysis Gaps
Cyber Security
Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access
Cyber Security
Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation
Cyber Security News
Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users
Cyber Security News
PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability