CVE-2026-21876 — Root cause, Reproduction, Impact and Lessons Learned Author: Daytrift Newgen Target: OWASP CRS < 4.22.0/3.3.8 Impact: WAF Bypass Status: Patched, PoC is available TL;DR Around the …

InfoSecWriteUps' platform is  dedicated to providing insights and resources for cybersecurity professionals and enthusiasts. Through articles, tutorials, and security research, InfoSecWriteUps offers insights into cybersecurity vulnerabilities, attack techniques, and defense strategies. Readers can learn about penetration testing, threat intelligence, and incident response to enhance their cybersecurity knowledge and skills.

InfoSec Write-ups

A researcher discovered CVE-2026-21876, a WAF bypass vulnerability in OWASP Core Rule Set (CRS) versions before 4.22.0/3.3.8. The flaw lies in rule 922110, which checks charset values in multipart request headers. Because the internal variable TX:1 is overwritten with each multipart part iteration and only checked after the loop completes, an attacker can append a valid-charset parameter at the end of a malicious multipart request to bypass the security check. The vulnerability affects any WAF product using OWASP CRS (ModSecurity, Coraza, etc.) and is now patched. The key lesson: WAFs should not be the sole security layer.

CVE-2026-21876 — Root cause, Reproduction, Impact and Lessons Learned

Get Daytrift Newgen’s stories in your inbox

…and here’s why it’s actually dangerous