Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Published: 2026-01-08
Score: 9.3 Critical
EPSS: 13.1% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Core Rule Set rule 922110 incorrectly handles multipart form data when multiple content‑type parts are present. During the loop over the headers of each part, the rule writes the charset value into capture variables that are subsequently overwritten. The result is that only the charset from the final part is considered, allowing an attacker to embed dangerous charsets in earlier parts that the rule ignores. The vulnerability therefore permits malicious input to slip past the set of transformations and detections that rely on rule 922110, effectively breaking the intended protection.

Affected Systems

Deployments that employ the OWASP ModSecurity Core Rule Set before versions 3.3.8 or 4.22.0 are impacted. These include many web application firewalls or security‑aware HTTP libraries that import the CRS for generic attack detection.

Risk and Exploitability

The CVSS score of 9.3 marks this flaw as critical. Given the EPSS score of 13 %, the likelihood of exploitation is high relative to other vulnerabilities. The issue is not yet listed in the CISA KEV catalog, but the remote nature of the attack vector—sending crafted multipart HTTP requests—is likely. Successful exploitation allows malicious charsets to be injected into earlier parts of a multipart request while the final part appears legitimate, thereby bypassing detection by the CRS and any downstream security controls that depend on rule 922110.

Generated by OpenCVE AI on June 18, 2026 at 06:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OWASP ModSecurity Core Rule Set to version 4.22.0 or 3.3.8, which contain the fix for rule 922110.
  • Retest the updated rule against multipart requests that include multiple content‑type parts to verify that malicious charsets are now detected.
  • Perform regression testing on normal multipart uploads to ensure no false positives are introduced by the upgrade.

Generated by OpenCVE AI on June 18, 2026 at 06:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4488-1 modsecurity-crs security update
Debian DSA Debian DSA DSA-6105-1 modsecurity-crs security update
History

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
References

Mon, 23 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Owasp owasp Modsecurity Core Rule Set
CPEs cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:*
Vendors & Products Owasp owasp Modsecurity Core Rule Set

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Owasp
Owasp coreruleset
Vendors & Products Owasp
Owasp coreruleset

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 08 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Description The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Title OWASP CRS has multipart bypass using multiple content-type parts
Weaknesses CWE-794
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}


Subscriptions

Owasp Coreruleset Owasp Modsecurity Core Rule Set
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T15:41:17.073Z

Reserved: 2026-01-05T17:24:36.927Z

Link: CVE-2026-21876

cve-icon Vulnrichment

Updated: 2026-01-08T14:52:52.629Z

cve-icon NVD

Status : Modified

Published: 2026-01-08T14:15:57.087

Modified: 2026-06-17T10:19:04.413

Link: CVE-2026-21876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T06:15:14Z

Weaknesses
  • CWE-794

    Incomplete Filtering of Multiple Instances of Special Elements