CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ⬡ Vulnerabilities & CVEs Jun 24, 2026

OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation - CyberSecurityNews

CyberSecurityNews Archived Jun 24, 2026 ✓ Full text saved

OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation CyberSecurityNews

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News OWASP CRS Vulnerability Allows Attackers to Bypass Charset Validation By Abinaya January 9, 2026 A critical vulnerability in the OWASP Core Rule Set (CRS) has been discovered that allows attackers to bypass important security protections designed to prevent charset-based attacks. The vulnerability, tracked as CVE-2026-21876, affects rule 922110 and carries a severity score of 9.3 (CRITICAL). OWASP CRS Vulnerability Rule 922110 is designed to block dangerous character encodings, such as UTF-7 and UTF-16, in multipart form requests. These encodings are commonly exploited to bypass filters and launch cross-site scripting (XSS) attacks. Aspect Details CVE ID CVE-2026-21876 Severity CRITICAL (9.3) CWE CWE-794 CVSS Score CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N However, the rule contains a critical flaw: it only validates the last part of a multipart request, ignoring earlier parts. Attackers can exploit this by placing malicious UTF-7 encoded JavaScript in the first part of a multipart request while placing legitimate UTF-8 content in the last part. The rule checks only the last part, allowing the attack to slip through undetected. The vulnerability impacts all users running CRS versions 3.3. x (through 3.3.7) and 4.0.0 through 4.21.0. These versions are used across Apache ModSecurity v2, ModSecurity v3, and Coraza installations worldwide. Without this protection, attackers can send charset-encoded payloads directly to backend applications. UTF-7 XSS attacks are well-documented and challenging to defend against when they bypass the WAF layer. This removes a critical layer of defense from affected systems. What Should Users Do? The OWASP CRS team has released patches available immediately: CRS 4.x users: Upgrade to version 4.22.0, CRS 3.3.x users: Upgrade to version 3.3.8. The fixes are backward compatible and require no configuration changes. Users should upgrade as soon as possible and verify that the fix is active in their systems. Instead of checking only the last multipart part, the patched rules now store and validate all parts individually using a counter-based system. Every part’s charset is now checked, ensuring malicious encodings cannot slip through regardless of position. Patches were developed and released on January 6, 2026, with coordinated public disclosure. The CVE is tracked with internal ID 9AJ-260102. The OWASP CRS team recommends that all users take immediate action to protect their applications from this critical bypass vulnerability. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Browser-in-the-Browser Kit Uses Fake Software Errors to Deliver Malware Installers 15 Best Linux Network Monitoring Tools in 2026 Hackers Abuse PowerShell Commands to Deliver SmartRAT Through Brazilian Bank Phishing Page Hackers Exploit Unpatched SharePoint Servers to Deploy Ransomware and Custom Backdoors New iPhone BootROM Vulnerability Exposes Apple SoCs to Full Chain-of-Trust Compromise Latest News ANY.RUN EvilTokens Hides Its Attack Flow in the Browser, Exposing Static Analysis Gaps   Cyber Security Hackers Exploiting Cisco Catalyst SD-WAN Manager 0-Day Flaw to Gain Root-Level Access Cyber Security Authorities Disrupt Stealer Malware StealC and Amadey Infrastructure in Global Operation Cyber Security News Fake Income Tax Assessment Notice Delivers RAT-Like Malware to Windows Users Cyber Security News PoC Exploit Released for Microsoft Exchange Server Elevation of Privilege Vulnerability
    💬 Team Notes
    Article Info
    Source
    CyberSecurityNews
    Category
    ⬡ Vulnerabilities & CVEs
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗