Multipart Request Bug in OWASP Core Rule Set Affects Web Application Firewalls
CVE-2026-21876

9.3CRITICAL

Key Information:

Vendor

Coreruleset

Status
Coreruleset
Vendor
CVE Published:
8 January 2026

Badges

đź“° News Worthy

What is CVE-2026-21876?

A vulnerability exists in the OWASP Core Rule Set affecting web application firewalls, where the handling of multipart requests is flawed. The issue arises during the iteration over multipart headers, leading to the overwriting of capture variables. This flaw means that malicious data in earlier parts of a multipart request can be overlooked if only the last input is considered valid. Versions 4.22.0 and 3.3.8 have patched this vulnerability, reinforcing the integrity of attack detection processes.

Affected Version(s)

coreruleset < 4.22.0 < 4.22.0

coreruleset < 3.3.8 < 3.3.8

News Articles

favicon imageHelp Net Security

Week in review: Claude Mythos finds 271 Firefox flaws, Vercel breach - Help Net Security

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: SmokedMeat: Open-source tool shows what attackers do

5 days ago

References

https://github.com/coreruleset/coreruleset/security/advis...
x_refsource_CONFIRM
https://github.com/coreruleset/coreruleset/commit/80d8047...
x_refsource_MISC
https://github.com/coreruleset/coreruleset/commit/9917985...
x_refsource_MISC

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • đź“°

    First article discovered by Help Net Security

  • Vulnerability published

  • Vulnerability Reserved

.