CVE-2026-21876
CRITICAL · 9.3 EPSS 0.1%Real vuln with patches shipped, but no PoC, no KEV, recycled patch announcements dominate chatter.
What: Logic bug in OWASP CRS rule 922110 allowing multipart requests with malicious charsets in early parts to bypass detection if later parts contain legitimate charsets (CVSS 9.3 CRITICAL). Affects CRS <4.22.0 and <3.3.8.
Why it matters: Patches released (CRS 4.22.0 and 3.3.8); vendor actively addressing. High CVSS reflects WAF bypass potential. No KEV listing, no public PoC confirmed in posts, no in-the-wild exploitation reports yet. Chatter is primarily patch notification, not exploitation discussion.
Where it's seen: Repetitive social posts (mostly same account variants) announcing patch availability. Appears to be coordinated awareness campaign rather than organic security community reaction. No defender triage questions or PoC repositories mentioned.
RISK: HIGH — Critical CVSS, WAF bypass affects cloud/enterprise deployments, patches available but adoption lag risk.
AttackerKB
view on attackerkb.com →The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
Public PoCs on GitHub 5 repos
- nomi-sec/PoC-in-GitHub ★ 7687
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
- DarkFunct/TK-CVE-Repo ★ 49 · Python
TK-CVE-Repo
- magercode/List-CVE-2025-2026 ★ 1
Daftar CVE 2025-2026 terupdate
- Mefhika120/CVE-2026-21876 ★ 0
CVE-2026-21876 OWASP ModSecurity CRS WAF bypass (docker container + minimal PoC).
- daytriftnewgen/CVE-2026-21876 ★ 0 · Python
[Reupload] CVE-2026-21876 minimal PoC with docker container.
Articles & coverage 15 articles
- CVE-2026-21876 (CVSS 9.3) Bypasses OWASP CRS Ch…
CVE-2026-21876 lets attackers sneak past WAFs via charset logic flaws—critical fix instructions and breach prevention tips inside.
- CVE-2026-21876 — Root cause, Reproduction, Impact and Lessons ...
Thus, to exploit this vulnerability, all it takes is a single multipart parameter at the end in a valid encoding. …and here's why it's
- CVE-2026–21876: Critical WAF Bypass Explained | by Eric Blancas
Here's what makes this vulnerability particularly dangerous: the exploit is trivial. An attacker simply needs to send a multipart HTTP
- CVE‑2026‑21876: A Critical Multipart Parsing Flaw in OWASP Core ...
Threat actors can exploit this to bypass charset validation and smuggle malicious payloads inside earlier sections of a multipart request. This
- CVE-2026-21876 (OWASP CRS WAF bypass) - GitHub
CVE-2026-21876 OWASP ModSecurity CRS WAF bypass (docker container + minimal PoC) ... The vulnerability fix was ready in a very short time. Lab deployment. ~/CVE
› NVD details 1 CWE ·1 vendor · 6 refs expand
Description
The OWASP core rule set (CRS) is a set of generic attack detection rules for use with compatible web application firewalls. Prior to versions 4.22.0 and 3.3.8, the current rule 922110 has a bug when processing multipart requests with multiple parts. When the first rule in a chain iterates over a collection (like `MULTIPART_PART_HEADERS`), the capture variables (`TX:0`, `TX:1`) get overwritten with each iteration. Only the last captured value is available to the chained rule, which means malicious charsets in earlier parts can be missed if a later part has a legitimate charset. Versions 4.22.0 and 3.3.8 patch the issue.
References
- https://github.com/coreruleset/coreruleset/commit/80d80473abf71bd49bf6d3c1ab221e3c74e4eb83
- https://github.com/coreruleset/coreruleset/commit/9917985de09a6cf38b3261faf9105e909d67a7d6
- https://github.com/coreruleset/coreruleset/releases/tag/v3.3.8
- https://github.com/coreruleset/coreruleset/releases/tag/v4.22.0
Top posts driving the trend
- YA@YasirRazaHaidriX · 5/2/2026
Critical CVE-2026-21876 multipart charset bypass patched in CRS 4.22.0 and 3.3.8.
♥ 0 · ↻ 0 · 💬 0 - YA@YasirRazaHaidriX · 5/1/2026
CRS 4.22.0 & 3.3.8 patch CVE-2026-21876, a critical multipart charset bypass vulnerability. Source: https://t.co/OlLH6HKbK0
♥ 0 · ↻ 0 · 💬 0 - YA@yasirrazahaidryX · 5/1/2026
The critical CVE-2026-21876 multipart charset bypass has been fixed in CRS 4.22.0 and 3.3.8 Source: https://t.co/5YTAziuJ8u
♥ 0 · ↻ 0 · 💬 0 - YA@yasirrazahaidryX · 5/1/2026
CRS 4.22.0 & 3.3.8 patch critical CVE-2026-21876 multipart charset bypass. Source: https://t.co/5YTAziuJ8u
♥ 0 · ↻ 0 · 💬 0 - RE@reverseameX · 5/1/2026
CVE-2026-21876: Critical Multipart Charset Bypass Fixed in CRS 4.22.0 and 3.3.8 https://t.co/p7JevgV16t
♥ 2 · ↻ 0 · 💬 0