CVE-2026-21876

CRITICAL LAB

OWASP CRS <4.22.0-3.3.8 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2026-21876. PoCs published by anonimicerum, XiaomingX, daytriftnewgen.

AI-analyzed exploit summary This exploit demonstrates a firewall bypass in Core Rule Set (CRS) versions < 4.22.0/3.3.8 by encoding form data in UTF-7 and converting it to multipart, evading detection rules. It acts as a proxy to forward malicious requests to a target upstream server.

Description

The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.

Exploits (6)

exploitdb WORKING POC
by anonimicerum · pythonwebappsmultiple
https://www.exploit-db.com/exploits/52558

This exploit demonstrates a firewall bypass in Core Rule Set (CRS) versions < 4.22.0/3.3.8 by encoding form data in UTF-7 and converting it to multipart, evading detection rules. It acts as a proxy to forward malicious requests to a target upstream server.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Core Rule Set (CRS) < 4.22.0/3.3.8
No auth needed
Prerequisites: Target running vulnerable CRS version · Network access to the target
devstral-2 · analyzed May 14, 2026 Full analysis →
github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-21876

This repository contains a functional PoC for CVE-2026-21876, demonstrating a WAF bypass in OWASP CRS via a crafted multipart/form-data request with a non-standard charset (utf-7). The exploit leverages improper charset handling to bypass input validation.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: OWASP ModSecurity Core Rule Set (CRS) versions before 4.22.0 and 3.3.8
No auth needed
Prerequisites: Docker environment · OWASP CRS WAF configured with vulnerable rules
devstral-2 · analyzed Feb 27, 2026 Full analysis →
nomisec WORKING POC 4 stars
by daytriftnewgen · poc
https://github.com/daytriftnewgen/CVE-2026-21876

This repository contains a proof-of-concept for CVE-2026-21876, demonstrating a WAF bypass via a multipart/form-data charset manipulation technique. The exploit leverages a non-standard charset (utf-7) to encode malicious payloads, bypassing OWASP CRS WAF rules.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: OWASP ModSecurity Core Rule Set (CRS) versions prior to 4.22.0 and 3.3.8
No auth needed
Prerequisites: Access to a target system with vulnerable OWASP CRS WAF · Ability to send crafted HTTP requests
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC 3 stars
by adminlove520 · pythonpoc
https://github.com/adminlove520/CVE-Poc_All_in_One/tree/main/2026/CVE-2026-21876

This repository contains a functional PoC for CVE-2026-21876, demonstrating a WAF bypass in OWASP CRS via a crafted multipart/form-data request with a non-standard charset (utf-7). The exploit leverages a vulnerability where the WAF fails to properly validate the charset, allowing malicious payloads to bypass security checks.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: OWASP ModSecurity Core Rule Set (CRS) versions before 4.22.0 and 3.3.8
No auth needed
Prerequisites: Access to a target system running a vulnerable version of OWASP CRS · Ability to send crafted HTTP requests to the target
devstral-2 · analyzed May 06, 2026 Full analysis →
nomisec WORKING POC
by CVEs-Labs · poc
https://github.com/CVEs-Labs/CVE-2026-21876

This repository provides a lab environment for CVE-2026-21876, demonstrating an XSS vulnerability in a Flask application. The exploit involves crafting a malicious multipart/form-data request to bypass WAF protections and execute arbitrary JavaScript.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Moderate
Reliability
Reliable
Target: Flask application with ModSecurity WAF
No auth needed
Prerequisites: Docker and Docker Compose installed · Burp Suite for crafting the exploit request
devstral-2 · analyzed Apr 23, 2026 Full analysis →
nomisec WORKING POC
by Mefhika120 · poc
https://github.com/Mefhika120/CVE-2026-21876

This repository contains a functional PoC for CVE-2026-21876, demonstrating a WAF bypass in OWASP CRS via a crafted multipart/form-data request using a non-standard charset (utf-7) to evade detection. The included Docker setup provides a test environment with a vulnerable OWASP ModSecurity CRS instance and a Flask backend to validate the bypass.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: OWASP ModSecurity Core Rule Set (CRS) versions before 4.22.0 and 3.3.8
No auth needed
Prerequisites: Docker environment · Network access to the target WAF
devstral-2 · analyzed Apr 10, 2026 Full analysis →

References (6)

Core 6

Scores

CVSS v3 9.3
EPSS 0.1312
EPSS Percentile 95.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Lab Environment

COMMUNITY
Community Lab
docker pull owasp/modsecurity-crs:3.3.7-nginx-202511100111
+4 more repos

Details

CWE
CWE-794
Status published
Products (3)
coreruleset/coreruleset < 3.3.8
coreruleset/coreruleset < 4.22.0
owasp/owasp_modsecurity_core_rule_set < 3.3.8
Published Jan 08, 2026
Tracked Since Feb 18, 2026