OWASP CRS Flaw Lets Encoded Attacks Slip Past WAFs

A newly disclosed critical flaw in the OWASP Core Rule Set allows attackers to bypass charset validation and quietly launch cross-site scripting (XSS) attacks against web applications. 

The flaw weakens an important defensive control that many organizations rely on at the web application firewall (WAF) layer to detect and block encoded attacks. 

The vulnerability “… allows attackers to bypass charset validation by exploiting how ModSecurity’s chained rules process collection,” said the OWASP CRS team.

How the OWASP CRS Charset Bypass Works

The vulnerability, tracked as CVE-2026-21876, affects a core rule in the OWASP Core Rule Set that is widely deployed across Apache ModSecurity, ModSecurity v3, and Coraza environments. 

Because CRS is commonly used as a first line of defense for web applications, the flaw reduces the effectiveness of WAF protections designed to block encoded attack payloads, increasing reliance on backend application controls.

The issue impacts CRS versions 3.3.x through 3.3.7 and 4.0.0 through 4.21.0, placing a large number of production environments potentially at risk.  

At the center of the issue is rule 922110, which is intended to detect and block dangerous character encodings — such as UTF-7 and UTF-16 — within multipart form requests. 

These encodings have long been used by attackers to evade input filters and deliver cross-site scripting (XSS) payloads in a way that can bypass naïve validation logic.

Researchers found that the rule does not consistently evaluate all parts of a multipart HTTP request. Instead, it validates only the final segment, ignoring earlier components entirely. 

This behavior allows attackers to construct multipart requests in which a malicious, UTF-7–encoded JavaScript payload is placed in an early part of the request, followed by benign UTF-8 content in the final part. 

Because the rule inspects only the last segment, the request can pass through the WAF without triggering an alert.

The vulnerability has been assigned a CVSS score of 9.3, reflecting its remote exploitability and lack of authentication requirements. 

While no active exploitation has been reported, the technique uses well-known encoding-based XSS methods and requires minimal effort to execute. 

Reducing Risk from OWASP CRS Rule Failures

While applying the latest OWASP CRS updates is the most important step, additional controls can help detect attempted bypasses and limit potential impact.

• Upgrade OWASP CRS deployments immediately to version 4.22.0 (CRS 4.x) or 3.3.8 (CRS 3.3.x) and confirm the updated rules are actively enforced.
• Verify WAF configurations and logs to ensure multipart request inspection is functioning correctly and that no legacy rules remain loaded.
• Restrict accepted character encodings to UTF-8 at the web server and application layers, explicitly blocking legacy encodings such as UTF-7.
• Implement custom or compensating WAF rules to detect or block multipart requests with mixed or unusual charset declarations.
• Strengthen application-layer defenses by enforcing robust input validation, context-aware output encoding, and restrictive Content Security Policy (CSP) headers.
• Enhance monitoring and incident readiness by tracking anomalous multipart traffic patterns and validating protections.
• Test and refine incident response plans through tabletop exercises and attack simulations.

Together, these measures help maintain the effectiveness of WAF protections even when individual rules have limitations.

The Risk of Assuming Security Tools Always Work

Even well-established and widely trusted security controls can be undermined by subtle logic or implementation flaws that are difficult to detect through routine operation alone. 

As attackers increasingly focus on probing edge cases in security tooling, relying on “set-and-forget” protections becomes less effective over time. 

This reality underscores the need for regular updates, validation, and testing of defensive controls to ensure they continue to function as intended in the face of evolving attack techniques.

As a result, many organizations are reexamining their security assumptions and turning toward zero-trust principles that emphasize continuous verification over implicit trust.