Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Published: 2026-01-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Detection bypass of malicious multipart requests
Action: Patch Immediately
AI Analysis

Impact

The Core Rule Set rule 922110 mismanages multipart requests that contain several content‑type parts. While looping over the headers of each part, the rule populates capture variables for the charset but overwrites them on each iteration. Only the charset from the final part is retained, meaning an attacker can place malicious charsets in earlier parts and have them ignored. The rule chain therefore fails to detect the attack and treats the request as legitimate.

Affected Systems

Deployments that rely on the OWASP ModSecurity Core Rule Set from the OWASP project, using any version prior to 3.3.8 or 4.22.0, are affected. Such deployments are common in web application firewalls that depend on the CRS for generic attack detection.

Risk and Exploitability

The issue carries a severity score of 9.3 on the standard scoring system, indicating a critical risk to coverage of protected applications. Predictive modeling shows an exploitation likelihood below 1 %. The vulnerability is not currently listed in the known exploited vulnerabilities catalogues. An attacker must craft multipart HTTP requests that contain multiple content‑type parts. The vector is remote via a web interface, and successful exploitation would allow the bypass of all safeguards that the rule set is designed to enforce.

Generated by OpenCVE AI on April 16, 2026 at 08:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OWASP ModSecurity Core Rule Set to version 4.22.0 or 3.3.8, which contains the patch for rule 922110.
  • Validate the patched rule 922110 by testing multipart HTTP requests with varied charsets in a staging environment to confirm detection.
  • Execute regression testing of multipart request handling to verify that legitimate requests still pass while malicious ones are flagged.

Generated by OpenCVE AI on April 16, 2026 at 08:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4488-1 modsecurity-crs security update
Debian DSA Debian DSA DSA-6105-1 modsecurity-crs security update
History

Thu, 09 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
References

Mon, 23 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Owasp owasp Modsecurity Core Rule Set
CPEs cpe:2.3:a:owasp:owasp_modsecurity_core_rule_set:*:*:*:*:*:*:*:*
Vendors & Products Owasp owasp Modsecurity Core Rule Set

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Owasp
Owasp coreruleset
Vendors & Products Owasp
Owasp coreruleset

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
Description The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Title OWASP CRS has multipart bypass using multiple content-type parts
Weaknesses CWE-794
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Owasp Coreruleset Owasp Modsecurity Core Rule Set
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T15:41:17.073Z

Reserved: 2026-01-05T17:24:36.927Z

Link: CVE-2026-21876

cve-icon Vulnrichment

Updated: 2026-01-08T14:52:52.629Z

cve-icon NVD

Status : Modified

Published: 2026-01-08T14:15:57.087

Modified: 2026-04-09T16:16:26.437

Link: CVE-2026-21876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses